Yahoo's $117.5 million settlement of massive data breaches occurring between 2012 and 2016 has been granted preliminary approval by a federal judge.
The deal's terms don't “improperly grant preferential treatment to any individual or segment of the settlement class and fall within the range of possible approval as fair, reasonable, and adequate,” U.S. District Court Judge Lucy Koh in the Northern District of California wrote Saturday in an order allowing the settlement to advance.
Koh added that the resolution “appears to be the result of serious, informed, non-collusive negotiations conducted with mediators.”
The settlement calls for Yahoo to pay up to around $87 million to create a fund for 200 million people whose data was stolen by hackers between 2012 and 2016, and who suffered monetary losses -- either because they paid for credit monitoring or for premium email accounts. The deal also allows class counsel to request up to $30 million in attorneys' fees.
The settlement resolves several separate instances of alleged security lapses.
In 2013, hackers stole data -- including, in some cases, names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers -- associated with an estimated 3 billion Yahoo accounts. Yahoo didn't disclose that breach until December of 2016.
In 2014, a separate data breach resulted in the theft of similar information associated with 500 million accounts. The company did not disclose that breach in September of 2016, when it was about to be acquired by Verizon.
Another breach, which occurred between 2015 and 2016, involved hackers gaining access to users' passwords by forging cookies.
The company previously agreed to pay $35 million to settle charges by the Securities and Exchange Commission, which alleged Yahoo misled investors by waiting nearly two years to disclose the 2014 data breach.
Koh previously rejected a potential deal that called for Yahoo, now owned by Verizon, to pay up to $85 million. The judge turned down the earlier deal for several reasons, including that it would have released the company from claims by users whose data was stolen in 2012.
That provision was problematic, according to Koh, because the prior class-action complaint didn't reference any 2012 data breaches. Class counsel subsequently filed an amended class-action complaint that included allegations about the 2012 security breach.