Settlement fund covers losses caused by multiple cyber-attacks, but you must apply by July 20

The Yahoo data breach settlement deadline is July 20, 2020

Yahoo users embroiled in multiple data breaches leading to the widespread theft of personal information have just six days left to join a multimillion-dollar class action settlement.

The first Yahoo security incident took place in 2013. In what is considered to be one of the largest online breaches in history, the email provider originally said that one billion accounts were compromised, but now believes all three billion users are likely to have been affected. 

Separate breaches also occurred in 2014 and between 2015 and 2016, with the latter exposing data belonging to one billion user accounts.

Information including names, dates of birth, telephone numbers, hashed passwords, and unencrypted security questions and answers may have been stolen.

Multimillion-dollar settlement

In the wake of the data breaches, Yahoo was subject to class-action lawsuits on behalf of consumers. Now consolidated (PDF), a settlement fund of $117.5 million has been agreed.

“The massive size and Yahoo’s handling of the data breaches, including Yahoo’s failure to notify its users after the data breaches occurred and [after] Yahoo learned about the data breaches, demonstrate that Yahoo recklessly and negligently disregarded its duty and obligations to safeguard and address misuse of its user’s PII,” the complaint reads.

The July 20 settlement application deadline for Yahoo users is fast approaching. The tech giant – acquired by Verizon Communications for $4.48 billion in 2017 and now operating under the Oath subsidiary – has agreed to pay up to $25,000 to each individual impacted. 

The number of eligible users for settlement is thought to be roughly 95 million.

RELATED Yahoo offers $80m payout following 2013 data breach

Yahoo’s data breach settlement program requires users to submit a claim to receive two years of free credit monitoring, or if you already have signed up for such a service, you could claim a cash payment of $100, potentially rising to $358.80 depending on how many claims are filed. 

In addition, claimants that can provide evidence of material damage caused by the data breaches could be eligible for a payout in the thousands, including out-of-pocket expenses, lost time, and up to 15 hours of recorded time off work at $25 per hour, or five undocumented hours at the same rate. 

Payouts may also be made available for users that have purchased adverts, premium Yahoo Mail services, or Aabaco Small Business solutions, including business email subscriptions.

How to become a class action settlement member

If you were a Yahoo user between January 1, 2012, and December 31, 2016, and are a resident in either the US or Israel, you can apply for compensation. 

In order to do, users need to fill out and submit a claim form, either online or by post.

Yahoo has provided a separate form for each compensation request. The forms are categorized for standard account holders, paid users, small business users, and residents of Israel (1, 2, 3, 4). 

Alongside providing financial compensation to users, the company has also promised to “continue to enhance its business practices that will improve the security of its users’ personal information stored on its databases”.

Read more of the latest data breach news

Users who choose not to apply for compensation are still bound by a legal stipulation in the settlement. After the deadline, they will not be able to sue Yahoo over the data breaches in question, however, those that opted out of the settlement before March 6 are exempt.

The settlement must be approved by US courts to become final and for payments to be released.

Paul Bischoff, privacy advocate at, told The Daily Swig that despite the sheer scale of the Yahoo breach, the actual impact is small compared to the 2017 Equifax data breach.

“The only other breach settlement to reach anywhere near this scale is Equifax, which paid $125 out to victims,” he said.

“Although the Equifax breach was smaller, its leaked records included much more valuable information, such as Social Security numbers and other private info that could be used for identity theft. In contrast, the majority of information leaked about Yahoo accounts is mainly used for phishing and spam.

“Yahoo didn’t leak plain-text passwords or financial information, just names, email addresses, dates of birth, security questions, telephone numbers, and hashed passwords. So, either Yahoo is paying too much, or Equifax paid too little.”

The Daily Swig has reached out to Yahoo and will update this article accordingly.

READ MORE Chaos after the storm: Yahoo data breach found to affect all three billion customers