Yahoo agrees to pay $117.5 million in latest settlement of massive data breach

The Yahoo settlement would cover nearly 200 million people who had sensitive information snatched in the enormous hack.
(Michael Probst / Associated Press)

Nearly 200 million people who had sensitive information snatched from their Yahoo accounts would receive two years of free credit-monitoring services and other potential restitution under a legal settlement valued at $117.5 million.

The deal revises an earlier agreement that was struck last October but rejected by U.S. District Court Judge Lucy Koh in San Jose. The value of that settlement had been pegged at $50 million, but Koh questioned the calculations.

A more detailed breakdown used in the revised settlement drove up the estimated cost. The money would be paid by Yahoo’s current owner, Verizon Communications Inc., and by Altaba Inc., a holdover from Yahoo’s past that still owns a multibillion-dollar stake in Chinese internet company Alibaba Group.


If approved, the settlement would become part of the financial fallout from digital burglaries that stole personal information from about 3 billion Yahoo accounts in 2013 and 2014 — believed to be the biggest data breach ever.

And now the $117.5-million settlement could become the largest ever doled out for a data breach. It eclipses a $115-million settlement that Koh approved last year to cover 79 million people whose personal information was stolen in a 2015 breach at health insurer Anthem Inc.

Yahoo didn’t begin to disclose the extent of its security breakdown until 2016 amid an FBI investigation that eventually linked some of the hacking to Russia. The revelations brought an end to the reign of Yahoo Chief Executive Marissa Mayer, eventually prompting the company to reduce its selling price to Verizon by $350 million.

Verizon has since written off much of the nearly $4.5-billion price for the Yahoo acquisition, a sign of Yahoo’s eroding value.

Lawyers representing the Yahoo account holders estimate that about 194 million people in the United States and Israel will be eligible to make claims, according to court documents. Those people collectively may have had about 896 million of the Yahoo accounts hit in the breach.

The biggest piece of the revised Yahoo settlement disclosed in documents filed Tuesday consists of the free credit-monitoring services that will be offered to everyone covered by the deal to protect them from identity theft and other potential problems. The service from AllClear usually costs $14.95 a month or $359 for two years. People who already have a credit-monitoring service would be eligible for cash payments instead.


Yahoo account holders who paid $20 to $50 annually for premium email accounts would be eligible for refunds of up to 25%. People who had to spend time protecting their identities or dealing with other issues caused by the breach can seek to be paid at a rate of $25 an hour for up to 15 hours, a maximum of $375.

The settlement would also pay as much as $32.5 million in fees and other expenses to the lawyers representing Yahoo account holders, down from the $37.5 million sought in the earlier agreement — another sticking point for Koh.

A hearing on the revised settlement is scheduled for June 27.