Yahoo must pay $50M in damages for security breach

The company will also provide at least two years of credit-monitoring and identity theft protection insurance for around 200 million people.

Abrar Al-Heeti Video producer / CNET
Abrar Al-Heeti is a video host and producer for CNET, with an interest in internet trends, entertainment, pop culture and digital accessibility. Before joining the video team, she was a writer for CNET's culture team. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.
Expertise Abrar has spent her career at CNET breaking down the latest trends on TikTok, Twitter and Instagram, while also reporting on diversity and inclusion initiatives in Hollywood and Silicon Valley. Credentials
  • Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
Abrar Al-Heeti
SOPA Images / Getty Images

Yahoo  will have to pay $50 million in damages as part of a settlement following massive data breaches in 2013 and 2014. The settlement was filed Monday.

In addition to paying $50 million, Yahoo will also have to provide at least two years of credit monitoring services for around 200 million people who had personal information such as names, email addresses and phone numbers stolen.

Yahoo's 2013 breach affected 3 billion accounts, while the 2014 breach affected 500 million accounts. Both were disclosed in 2016. At the time, Yahoo said the 2013 hack affected 1 billion accounts, but that number was updated to all 3 billion in 2017. Hacked information included passwords that were encrypted, but which could be cracked. 

Verizon , which acquired Yahoo in 2017, will pay half the settlement cost, while Altaba, the company formed from the ashes of Yahoo's sale to Verizon, will pay the other half. In April, the US Securities and Exchange Commission said Altaba had to pay $35 million for Yahoo's failure to disclose the breach in 2014. 

A judge is scheduled to rule on the settlement on Nov. 29.

Yahoo declined to comment. 

You can read the settlement here:

Yahoo Settlement by on Scribd

First published Oct. 23 at 3 p.m. PT.
Update, 3:40 p.m.: Adds that Yahoo declined to comment.