One of the largest consumer internet hacks has bred one of the largest class action settlements after Yahoo agreed to pay $50 million to victims of a security breach that’s said to have affected up to 200 million U.S. consumers and some three billion email accounts worldwide.
In what appears to be the closing move to the two-year-old lawsuit, Yahoo — which is now part of Verizon’s Oath business [which is the parent company of TechCrunch] — has proposed to pay $50 million in compensation to an estimated 200 million users in the U.S. and Israel, according to a court filing.
In addition, the company will cover up to $35 million in lawyer fees related to the case and provide affected users in the U.S. with credit monitoring services for two years via AllClear, a package that would retail for around $350. There are also compensation options for small business and individuals to claim costs for losses associated with the hacks. That could include identity theft, delayed tax refunds and any other issues related to data lost at the hands of the breaches. Finally, those who paid for premium Yahoo email services are eligible for a 25 percent refund.
The deal is subject to final approval from U.S. District Judge Lucy Koh of the Northern District of California at a hearing slated for November 29.
Because Yahoo is now part of Oath, the costs will be split 50-50 between Oath and Altaba, the holding company that owns what is left of Yahoo following the acquisition. Altaba last month revealed it had agreed to pay $47 million to settle three legal cases related to the landmark security breach.
Yahoo estimates that three billion accounts were impacted by a series of breaches that began in 2013. The intrusion is believed to have been a state-sponsored attack by Russia, although no strong evidence has been provided to support that claim.
The incident wasn’t reported publicly until 2016, just months after Verizon announced that it would acquire Yahoo’s core business in a $4.8 billion deal.
At the time, Yahoo estimated that the incident had affected “at least” 500 million users, but it later emerged that data on all of Yahoo’s three billion users had been swiped. A second attack a year later stole information that included email and passwords belonging to 500 million Yahoo account holders. Unsurprisingly, the huge attacks saw Verizon negotiate a $350 million discount on the deal.