Yahoo agrees to pay $50 million to settle data breach lawsuit

The company will also provide free credit monitoring services to roughly 200 million people impacted by the cyberattacks.
Written by Charlie Osborne, Contributing Writer

Yahoo must pay $50 million in damages to victims of one of the largest data breaches on record.

On Monday, a settlement was filed with the United States District Court in California which laid to rest the two-year-old lawsuit.

Yahoo has agreed to pay $50 million in compensation to victims of the security breach, estimated to be roughly 200 million individuals. In addition, the tech giant will provide a minimum of two years of free credit monitoring to those involved.

The settlement relates to two separate breaches, taking place in 2013 and 2014.

CNET: White House wants to borrow tech workers from Google, Amazon, says report

The first data breach impacted all of Yahoo's three billion accounts. The company said at the time that the theft of source code permitted attackers to access an account at will, even though passwords were not stored in plain text.

In the second cyberattack, the firm said 500 million accounts were affected and compromised by a "state actor" who stole user credentials. Names, email addresses, telephone numbers, dates of birth, hashed passwords, and -- in some cases -- encrypted or unencrypted security questions and answers were exposed.

TechRepublic: How RATs infect computers with malicious software

The data breaches were not disclosed at the time, but rather, in 2016, a delay which sparked anger not only among the general public but also investors. Their impact was catastrophic for Yahoo's reputation and also caused the company a severe headache in relation to an acquisition bid put forward by Verizon.

Yahoo was acquired by Verizon in 2016. The original price tag was roughly $4.8 billion, but after the severe security lapse came to light, Yahoo agreed to a discount of $350 million.

The deal was finalized in 2017, leading to the resignation of former Yahoo CEO Marissa Mayer. Yahoo's core Internet assets were then merged with AOL, now a Verizon-owned company, and rebranded as Oath.

The remaining Yahoo business was rebranded as Altaba.

See also: The most interesting Internet-connected vehicle hacks on record

Yahoo will pay half of the settlement cost, while Altaba will front the rest of the bill. Altaba has already paid a $35 million fine issued by the US Securities and Exchange Commission (SEC) in penance for Yahoo's failure to disclose the breach to investors in a timely manner.

A judge will rule on the settlement on November 29.

Our top choices for tech gifts

Previous and related coverage

Editorial standards