If you had a Yahoo account anytime between 2012 and 2016, you may be entitled to part of a $117.5 million proposed settlement after a series of data breaches and intrusions from 2012 through 2016.
Information taken includes emails, passwords, birthdates, security questions and contacts.
If you’re affected, you can sign up for at least two years of free services, including credit and identity theft monitoring. Or, you can opt to file for alternative cash compensation, of up to $358. (Note the “up to” — payments are unlikely to be nearly that high.)
You won’t likely see any compensation for at least a year, according to Yahoo. Here’s how to navigate the settlement and steps to take if your data was compromised — or even if it was not. Data breaches are common, and the risk is real.
1. See if you are eligible
Anyone who had a Yahoo account — Yahoo email, Yahoo Fantasy Sports, Yahoo Finance, Flickr or Tumblr — between the beginning of 2012 and the end of 2016 and is a resident of the United States or Israel can file a claim.
Look for details in your Yahoo mailbox if you still have the account, with the subject line “Yahoo Security Breach Proposed Settlement.” Or go to the settlement administrator website.
2. Decide whether to opt in or out
If you sign up for compensation, you’re opting into this settlement and giving up your right to sue separately. If you want to keep your right to sue the defendants, you have until March 6, 2020, to exclude yourself. That has to be done in writing. Send your letter to:
In re: Yahoo! Inc. Customer Data Security Breach Litigation
c/o Settlement Administrator
P.O. Box 1760
Philadelphia, PA 19105-1760
If you decide to take part in this settlement, fill out a claim form linked at the upper right on the settlement website. Or download, fill out and mail the appropriate form from the list at the lower right. You can choose either the credit monitoring or alternative cash reimbursement. If you were affected by the Equifax data breach and already signed up for credit services through that, take that into consideration when choosing.
Credit and identity theft services: You are eligible for two years of credit monitoring covering the three major credit bureaus, provided by AllClear ID. You also get: identity theft insurance; monitoring and notification when stolen identity information has been detected and reported; restoration services if you experience identity theft or fraud; ID theft scan for your minor children; and lost-wallet assistance.
Alternative cash reimbursement: If you already have credit monitoring in place, you can file for cash reimbursement. There’s an initial cap of $100, however that could go up or down depending on the number of valid claims. Settlement documents say you can get up to $358 if few enough people seek compensation, but that seems unlikely. If enough valid claims are filed so that funds are exhausted, the cash awards will be reduced proportionately.
Temper your expectations: The settlement is $117.5 million. That money has to cover credit monitoring costs, the reimbursement for out-of-pocket costs, the cost of class-action notices, settlement expenses and attorney fees. The settlement website FAQ says lawyers could be paid up to $30 million, and up to $2.5 million for expenses, which would shave the settlement to $85 million.
Deadline: You must file your claim online or mail it by July 20, 2020.
3. Decide whether to claim other compensation
You might be compensated for time spent trying to protect yourself as a result of the data breaches. Again, if the settlement funds won’t cover all the valid claims, reimbursement will be cut proportionally.
TIme spent: Compensation may be offered for time spent remedying ID theft issues that can be reasonably connected to the breach. That will be offered at $25 an hour or your documented wage, if higher. Claims must be documented.
Out-of-pocket costs: If you paid for Yahoo premium or small-business services, you may be eligible for reimbursement for a percentage of those fees. You can also file for credit freezes you paid for or credit monitoring services you ordered after Jan. 1, 2012.
4. Take these steps now
The prospect of a little windfall can overshadow the bad news that what the settlement website calls “malicious actors” may have access to your personal data.
If you still have your Yahoo account, even if you don’t use it often, change your password and security questions.
In general, assume your data is out there, if not from these breaches, then from Equifax or Capital One — or the next one.
- Freeze your credit so that no one can open a new credit account in your name.
- Protect your children by freezing their credit as well. They should not have credit reports, but an identity thief may be able to create a fake consumer using their Social Security number.
- Always check credit card statements to be sure you recognize the purchases.
- Check your medical insurance claim forms carefully. If someone has used your personal data to steal health care services, results could be serious if medical histories are mixed up.
- Ask questions before putting your Social Security number on forms. Know why it is needed and how it will be protected.
- Be cautious about what you post on social media and check your privacy settings. Assume that you are only as protected as your least-protected connection.