Yahoo! - Data Breach
Settlement Deadline: July 20, 2020

This case involves multiple data breaches occurring at Yahoo in 2013 through 2016, as well as data security intrusions occurring in early 2012 (collectively, the “Data Breaches”):

• The “2012 Data Security Intrusions”: From, at least as early as January to April 2012, at least two different malicious actors were able to access Yahoo’s internal systems. The available evidence, however, does not reveal that user credentials, email accounts, or the contents of emails were taken out of Yahoo’s systems as a result.

• The “2013 Data Breach”: In August 2013, malicious actors were able to gain access to Yahoo’s user database and took records for all existing Yahoo accounts—approximately three billion accounts worldwide. The records taken included the names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers of Yahoo account holders. As a result, the actors may have also gained access to the contents of breached Yahoo accounts and, thus, any private information contained within users’ emails, calendars, and contacts.

• The “2014 Data Breach”: In November 2014, malicious actors were again able to gain access to Yahoo’s user database and take records of approximately 500 million user accounts worldwide. Like the 2013 Data Breach, the records taken in the 2014 Data Breach included the names, email addresses, telephone numbers, birth dates, passwords, and security questions and answers of Yahoo account holders, and, as a result, the actors may have also gained access to the contents of breached Yahoo accounts and, thus, any private information contained within users’ emails, calendars, and contacts.

• The “2015/2016 Data Breach”: From 2015 to September 2016, malicious actors were able to bypass the need for a user account password by creating “forged cookies” that provided the malicious actors with access to Yahoo users’ email accounts. The 2015/2016 Data Breach impacted approximately 32 million user accounts worldwide.

 

If you had a Yahoo account between January 1, 2012 and December 31, 2016 and were sent a notice concerning the data breaches, you may be included in this settlement.

Varies

July 20, 2020