The company actually suffered a pair of breaches in 2013 and in 2014, although this information was not disclosed by the company until 2016. All of the company’s 3 billion users were impacted, and more than 200 million of them saw losses arising from that breach.
The compromised data included: usernames, email addresses, dates of birth, security questions (and their answers) backup email addresses, and phone numbers exposed.
The particulars of the settlement are as follows:
- Yahoo pays $50 million to users whose accounts were compromised
- Yahoo pays $35 million in legal fees
- People who paid for a $20 or $50 a year for a Yahoo Premium account will be eligible for a 25 percent refund
- People who had their email accounts compromised will be compensated $25 per hour for the time they spent handling issues related to the breach. Although in this case, users with documentation will see their compensation limited to a maximum of fifteen hours, while users without documentation will be limited to a maximum of five hours of compensation
- Any impacted user can request free credit monitoring, which the company will offer for two years
Verizon, which acquired Yahoo in 2017, will pay for half of the settlement cost. Meanwhile, Altaba (the company that arose from the remainder of the original Yahoo business) will pay the $35 million fine imposed by the US Securities and Exchange Commission for the company’s failure to disclose the breach to its investors.
It’s a landmark case, and once the deal gets final approval, notices will be emailed to affected account holders and published in People and National Geographic magazines.