SAN JOSE, Calif. (CN) – Yahoo investors claiming they lost millions after a series of massive data breaches will get $80 million under a settlement approved by a federal judge late Wednesday.
In early 2017, a class of investors led by Mark Madrack sued Yahoo following its admission on Dec. 14, 2016, that Russian hackers had stolen information from more than 500 million users in 2014. The next day, Yahoo’s stock price fell by $2.50.
A few months later, Yahoo revealed that another data breach had happened in August 2013 and that 3 billion users’ accounts had been compromised. Data breaches affecting 32 million users also occurred in 2015 and 2016.
Hackers made off with what Yahoo’s security team internally referred to as its “crown jewels”: the usernames, email addresses, birthdates, phone numbers, passwords and security questions and answers.
The settlement comes as Yahoo agreed to pay a $35 million penalty to the Securities and Exchange Commission for concealing the breaches. Madrack’s lawsuit was filed on Jan. 24, 2017, one day after the SEC announced that it was opening an investigation on the timing of Yahoo’s data breach disclosures.
The SEC found that Yahoo filed several quarterly and monthly reports between 2014 and 2016 saying only that Yahoo faced the risk of a data breach and warning about the potential negative impacts of such a breach, without mentioning that one had already occurred.
“We do not second-guess good faith exercises of judgment about cyberincident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” said Steven Peikin, co-director of the SEC Enforcement Division in a statement.
Yahoo changed its name to Altaba after it was bought by Verizon in June 2017.
U.S. District Judge Lucy Koh granted preliminary approval and set a final approval hearing for September. The settlement covers all investors who bought Yahoo stock between April 30, 2013 and Dec. 4, 2016.
Attorneys for both sides did not respond to emails seeking comment.