The Yahoo data breach is one of the largest cyber security hacks to happen to date. Yahoo announced that it was the victim of a cyber attack in August of 2013, and this revelation could have an impact on Yahoo’s potential sale to Verizon. Yahoo revealed that more than one billion Yahoo user accounts may have been stolen during the attack. The August 2013 attack is in addition to another recent hack. Yahoo revealed another breach took place in late 2014 where it was announced that at least 500 million user account credentials may have been stolen. The news of the breach has already sent Yahoo’s stock values plunging 2.5%.

According to Yahoo, an unauthorized third party gained access to a portion of Yahoo’s system and learned proprietary code in order to forge cookies. Yahoo presently believes that the hack was facilitated by a state sponsored actor, and there is evidence that suggests that the same party or parties were responsible for both hacks.

What Data Was Taken in the Yahoo Data Breach?

Between the August 2013 and the 2014 breaches, billions of pieces of users’ personal information was compromised. Just some of the information that was exposed includes:

• Names
• Email addresses
• Telephone numbers
• Birth dates
• Hashed passwords
• Encrypted or unencrypted security questions
• Encrypted or unencrypted security question answers

Yahoo has indicated that it does not believe any unhashed or clear text passwords were stolen, nor that any credit or debit card information or bank account information was stolen.

The Impact the 2013 Hack May Have on Yahoo’s Sale to Verizon

Yahoo and Verizon were working out a deal where Verizon would buy Yahoo, but after coming to an agreement on the terms of the sale, Yahoo revealed to Verizon and the world that it had been victimized by hackers on such a massive scale. This revelation could potentially affect the sale as the deal had not yet closed. While Verizon had not yet backed out of the deal at the time of the announcement, Verizon noted that the 2013 breach is a material event that could play a role in a price adjustment for the sale of Yahoo to Verizon.

Yahoo’s Response Actions to the Hack

Yahoo began the process of containing the intrusion and notifying those individual users who were affected by the 2013 breach. Affected users were contacted and required to change their account passwords and to create new security questions and answers.

Legal Fallout: What the Yahoo Data Breach Means for Businesses and Consumers

The Yahoo data breach ultimately resulted in one of the largest breach-related legal settlements in history and established important precedents about corporate disclosure obligations, securities law, and the scope of class action liability in consumer data breach cases. The legal consequences of the Yahoo breach illustrate what is at stake for any company that holds large quantities of user data.

The FTC Settlement and SEC Enforcement

Altaba (the successor entity to Yahoo’s operating business after the Verizon acquisition) reached a settlement with the FTC in 2019 in which it agreed to pay $35 million to resolve claims that Yahoo had failed to disclose the 2014 breach to investors in a timely fashion, in violation of securities laws. The SEC brought a parallel enforcement action alleging that Yahoo made materially misleading statements and omissions in public filings following the 2014 breach, by failing to disclose it as a known risk or event. This settlement marked the first time the SEC brought a disclosure failure action against a company specifically for failing to disclose a cybersecurity breach.

The implication for public companies is direct and significant: a data breach is a material event that must be disclosed in SEC filings. The SEC has since adopted formal cybersecurity disclosure rules, effective December 2023, requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality, and to provide annual disclosure about cybersecurity risk management processes on Form 10-K. Failure to disclose a material breach creates exposure under Section 10(b) of the Securities Exchange Act of 1934 and SEC Rule 10b-5.

The Class Action Settlement

Consumers affected by the Yahoo breaches filed a consolidated class action in the Northern District of California. In 2019, Yahoo (Altaba) agreed to a class action settlement of $117.5 million, which was approved by the court in 2020. The settlement provided affected class members with credit monitoring services, cash payments, and identity theft protection. The settlement class included over 3 billion former Yahoo account holders — making it one of the broadest class actions ever certified in a data breach case.

The legal theories pursued in the Yahoo class action — negligence, breach of contract, and breach of implied warranty of reasonable security — are the same theories plaintiffs bring in virtually every large-scale consumer data breach case. The Yahoo settlement established a benchmark for the value of data breach class claims at scale, and courts in subsequent breach cases have cited it in evaluating the reasonableness of proposed settlements.

State Data Breach Notification Law Violations

Yahoo’s delayed disclosure of the 2013 breach — which was not disclosed publicly until December 2016, more than three years after it occurred — placed Yahoo in potential violation of the data breach notification statutes of numerous states. Most state notification laws require notification “without unreasonable delay” or within a specified number of days of discovering a breach. A three-year delay from discovery to notification would clearly violate every state’s notification statute.

Yahoo’s position was that it had not definitively confirmed the scope of the breach and therefore did not trigger the notification requirement until later. Regulators and courts have generally rejected the argument that an obligation to notify can be deferred indefinitely while an investigation continues. Most statutes require notification when the business has reasonable belief that a breach of personal information has occurred — not when it has reached certainty about every detail of the breach.

The Impact on the Verizon Acquisition Price

The Yahoo breach had direct contractual consequences for the Verizon acquisition. Verizon ultimately negotiated a $350 million reduction in the acquisition price — from $4.83 billion to $4.48 billion — as a direct result of the disclosed breaches. The parties also agreed that Altaba would retain 50 percent of certain post-closing cash liabilities related to government investigations and third-party litigation arising out of the breaches.

This outcome illustrates a principle that is increasingly important in corporate transactions: cybersecurity due diligence is essential. A breached company’s value is materially impaired by undisclosed or inadequately managed security incidents. Acquirers now routinely commission detailed cybersecurity assessments as part of pre-acquisition due diligence, and material adverse change clauses in acquisition agreements are increasingly drafted to encompass cybersecurity incidents.

What Yahoo Account Holders Should Know

If you held a Yahoo account at any time before the disclosure of the 2013 or 2014 breaches, your personal information may have been exposed. While the class action settlement deadline has passed, there are practical steps you should still take:

• Change any passwords that are the same as or similar to your former Yahoo account password on any other accounts where you use it.
• Be alert to phishing emails targeting former Yahoo users, which may use information from the breach to appear more credible.
• Monitor your credit reports for any accounts opened in your name that you did not authorize.

Contact a Data Breach Attorney

Revision Legal has worked with businesses of all sizes to deal with the aftermath of a privacy breach and can provide counsel on handling breach notifications in all 50 states and internationally. If you have concerns about your exposure or have received a notification that you have been a victim of a data breach incident, contact the experienced lawyers at Revision Legal. Contact us using the form on this page or call us at 855-473-8474.