Security Experts:

Connect with us

Hi, what are you looking for?



Yahoo Breach Settlement Rejected by Judge

A U.S. judge has rejected the settlement between Yahoo and users impacted by the massive data breaches suffered by the company, citing, among other things, inadequate disclosure of the settlement fund and high attorney fees.

A U.S. judge has rejected the settlement between Yahoo and users impacted by the massive data breaches suffered by the company, citing, among other things, inadequate disclosure of the settlement fund and high attorney fees.

Yahoo informed customers in 2016 that its systems had been breached in 2014 by hackers who had managed to access data from at least 500 million accounts. A few months later, the company disclosed a different breach, one that dated back to 2013, and which impacted all of its 3 billion users. Data obtained in the 2014 incident is said to have been used in 2015 and 2016 to illegally access accounts.

Yahoo and Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business, faced several lawsuits brought by investors and users.

Yahoo breach settlement rejectedLast year, Altaba agreed to pay a $35 million penalty to the SEC for not disclosing the 2014 breach to investors, and a judge approved an $80 million settlement that Altaba agreed to pay for misleading investors about the breaches. A court recently also approved a $29 million settlement over shareholder derivative class actions.

However, the settlement announced by Yahoo last October has been rejected by California judge Lucy Koh. As part of this settlement, the Internet giant agreed to pay $50 million in damages and provide two years of free credit monitoring services to 200 million individuals impacted by the breaches in the US and Israel.

The judge is unhappy with the fact that the settlement seeks to absolve Yahoo for any breaches it may have suffered in 2012 – Yahoo has denied having knowledge of any breaches prior to 2013.

Judge Koh’s decision is also based on what she described as inadequate disclosure of the total size of the settlement fund, which makes it difficult to determine how much each of the victims will receive.

“The proposed notice discloses $50 million to cover out-of-pocket costs, alternative compensation, paid user costs, and small business user costs,” the judge argued in her ruling. “In addition, the proposed notice discloses that class counsel may apply for attorneys’ fees of up to $35 million, costs and expenses of up to $2.5 million, and service awards of up to $7,500 each for settlement class representatives, to be paid separately from the settlement fund. The proposed notice does not disclose the costs of credit monitoring services or costs for class notice and settlement administration, and does not disclose the total size of the settlement fund.”

The judge also did not like the fact that the settlement proposition authorizes up to $35 million for attorneys, separately from the settlement fund. She described the fees as “unreasonably high” and noted that any unawarded attorney fees would be reverted to Yahoo instead of the victims.

The decision is also based on what the judge has described as a “misleading estimate as to the size of the settlement class.” The estimate that 200 million US and Israeli nationals are impacted by the breach is based on a “population study” rather than an actual analysis of accounts. Non-public information provided by Yahoo to the court showed a much smaller number of users eligible to seek compensation, which makes it difficult to assess whether the settlement is fair and reasonable.

The judge also believes that Yahoo’s promises to improve security are vague and do not include any specific information on an increase in budget or number of employees.

Related: Uber Agrees to $148M Settlement With States Over Data Breach

Related: Neiman Marcus Reaches $1.5 Million Data Breach Settlement

Related: Lenovo Pays $7.3 Million to Settle Superfish Adware Lawsuit

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...