The data breach that affected all 3 billion Yahoo accounts beginning in 2013 is getting a bit of closure this week, with a settlement agreement between Yahoo and the Northern District Court of California (via Engadget). In the settlement, Yahoo has agreed to put $50 million into a fund for victims of the breach, provide two years of credit monitoring from AllClear, and a few other benefits for victims. The settlement is still awaiting court approval.
Those users who spent time addressing the damage from the breach, and can show documentation that they were affected, will be able to file a complaint. The filing requires users to prove documented losses of time measured in hours, and victims can be awarded $25 per hour for up to 15 hours at a maximum of $375. If the user does not have proof of lost time, they are eligible for up to five hours of compensation reaching $125. Those who paid for a premium Yahoo email account will be able to request a 25 percent refund.
In September 2016, Yahoo first disclosed a 2014 hack in which "at least" 500 million Yahoo accounts were compromised. In December 2016, Yahoo then disclosed a second major hack that affected more than one billion accounts in August 2013 -- the case that this settlement is addressing. Yahoo's new parent company Verizon then explained in October 2017 that all three billion Yahoo accounts that existed at the time were affected in the 2013 hack.
Information stolen from affected accounts in the 2013 data breach included names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers. Clear text passwords, bank account information, and credit/debit card information were not believed to have been accessed in the attack.
Verizon said in a statement last year, "We proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," further iterating that Yahoo will now "benefit from Verizon's experience and resources" in the field of privacy and security.