Well, here we are again. Even years later, it's still hard to fully grasp the degree to which Yahoo failed at protecting the data of billions of people across multiple breaches in the 2010s. But now, thanks to a class action suit against Yahoo that has reached a proposed settlement, you have until July 20 to file a claim if you were impacted. Don't miss out on your chance for a $100 apology.
You might have already gotten an email or other notification about this in September; if you filed a claim at the time, more power to you. But if you just got a notice—or follow-up—last week and haven't taken action yet, now is the time.
You're eligible to submit if you had a Yahoo account laying around anytime between January 1, 2012, and December 31, 2016, and reside in the United States or Israel. You can claim for either credit monitoring or cold, hard cash. As with other data breach class actions like the Equifax settlement, though, there are some things to, ahem, watch out for to make sure you're maximizing your payout.
Let's take a quick stroll down memory lane, shall we? Yahoo announced in September 2016 that an intrusion in 2014, likely perpetrated by state-sponsored hackers, compromised personal information from 500 million user accounts. Two months later, the company added that it had suffered a separate breach in August 2013 that exposed a billion accounts. And in March 2017, the company admitted that the same state sponsored actor responsible for the 2014 attack also stole Yahoo data during 2015 and 2016, compromising 32 million more user accounts. All deeply problematic and concerning! But then in October 2017, the company outdid itself by revising its estimate for the August 2013 breach from 1 billion accounts to 3 billion. Which is to say, every Yahoo account that existed at the time of the intrusion. Wild.
Yahoo owner Verizon did not return a request from WIRED for comment on the settlement.
Yahoo will use a settlement fund is $117.5 million to pay out claims. If you had a Yahoo account between 2012 and 2016 you can claim online or by mail for two years of free credit monitoring. If you can show that you already have credit monitoring—like, say, from the Equifax breach—you can claim for "alternative compensation," which will be cash up to $100. That amount could go up to $358.80 or more, if an unexpectedly low number of people enter claims. Exactly how much you get will depend on how many people submit. But everyone should! Better to get $4 and express your dissatisfaction than get $100 knowing that tens of thousands of eligible users didn't submit.
Similar to the Equifax settlement, you can also claim online or by mail for out-of-pocket costs associated with the breaches, like digital security services you bought to protect yourself at the time, identity theft mitigation services, or simply time spent dealing with the fallout of the breach. If you can document specific losses you suffered as a result of the Yahoo hacks, you can receive reimbursement up to $25,000, including up to 15 hours of time billed at $25 per hour or your hourly work rate (whichever is greater) if you can show that you missed time at work. But here's the important part for most people: Even if you can't prove that you spent time dealing with the repercussions of the breaches, you can still claim payment for up to five hours of lost time at $25 per hour or your hourly work rate if it is higher. So that's a reliable $125 right there. You can file claims for both credit monitoring/alternative compensation and out-of-pocket costs.
If you want to reserve the right to sue over these breaches in the future, you must send a letter to the Settlement Administrator by March 6.
The settlement won't be finalized until a hearing on April 9. The fund was originally set at $50 million and rose to $117.5 million last April after Northern District of California judge Lucy Koh called the original number unreasonable and unfair. So given this trajectory, it is unlikely that the fund will shrink as a result of the final hearing.