Yahoo has agreed to pay up to $117.5 million to resolve claims stemming from data breaches that affected an estimated 200 million users, according to court papers filed this week.
If approved, the new agreement would create a fund for around 200 million people whose data was hacked between 2012 and 2016 and who had monetary losses -- either because they paid for credit monitoring, or for premium email accounts. The deal also calls for class counsel to request up to $30 million in attorneys' fees.
News of the deal comes three months after U.S. District Court Judge Lucy Koh in the Northern District of California rejected an earlier agreement that called for Yahoo, now owned by Verizon, to pay up to $85 million.
She turned down the earlier deal for several reasons, including that it would have released the company from claims by users whose data was stolen in 2012. Koh found that provision problematic because the prior class-action complaint didn't reference any 2012 data breaches.
“Yahoo has never disclosed any such harm to its users and continues to deny any data breach prior to 2013,” Koh wrote in January. “Accordingly, the Court and class members have no basis to evaluate the 2012 claims and their release.”
On Monday, class counsel filed a new class-action complaint that included allegations about a 2012 security breach. The complaint also references other data breaches that occurred between 2013 and 2016.
In 2013, hackers stole data -- including, in some cases, names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers -- associated with an estimated 3 billion Yahoo accounts. Yahoo didn't disclose that breach until December of 2016.
In 2014, a separate data breach resulted in the theft of similar information associated with 500 million accounts; the company didn't disclose that breach in September of 2016, when it was about to be acquired by Verizon.
Another breach, which occurred between 2015 and 2016, involved hackers gaining access to users' passwords by forging cookies.
The company previously agreed to pay $35 million to settle charges by the Securities and Exchange Commission, which alleged Yahoo misled investors by waiting nearly two years to disclose the 2014 data breach.