Yahoo! hack! payout! nearly! approved! and! the! question! is! how! to! spend! 60! cents!?

Now all you have to do is remember what your Y! email address was amid sounds of lawyers popping champagne

Long-suffering Yahoo! customers may finally get some compensation for having their personal details exposed to hackers not once, not twice, not three times, nor four times, but five times between 2012 and 2016.

The proposed $117.5m settlement from the US class-action lawsuit brought back when Yahoo! actually existed is headed toward its final approval by a judge. Millions of customers received an email this week outlining what they have to do to get their hands on that filthy lucre.

There’s good news and bad news: the good news is that if you had a Yahoo! account between 2012 and 2016 you are eligible for “up to $358.80”; the bad news is that not only do you have to fill in a form to get it, not only do you have to remember that Yahoo! email address you stopped using years ago, but unless you have credit monitoring, you don’t get a cent.

Even if you do have credit monitoring and do fill in the form, chances are you won’t get anywhere near $358. There were 196 million people affected by the five separate security breaches, which equates to a rather pathetic 60 cents each. But everyone is confident that no one wants anything to do with Yahoo! anymore so they are saying that if you fill in the form you will get at least $100. We’ll see.

This is Yahoo!, of course, so nothing’s that easy. The lawyers have agreed to the same approach as the horrible Equifax security breach settlement, where you have to provide proof of your credit monitoring service in order to get any cash – and there are five questions you need to answer for that.

Why five and why don’t these companies just get the information from those companies directly? Because class-action lawsuits suck, that’s why.

Guess who wins?

Yet there is one group that’s happy, and that is, of course, the lawyers. They want a disgraceful 25.5 per cent payoff in the form of a roughly $30m check. And if you think that’s high, the judge agrees with you: Judge Lucy Koh refused to accept an agreed settlement this time last year because the lawyers wanted $35m.


Yahoo! Groups' closure and a tale of Oftel: Die-hard users 'informally' included telcos


She kicked them out the courtroom and three months later they came back with a self-compensation figure of $30m. That wasn’t the only reason Koh refused the settlement last year – she also said it was too vague and didn’t describe the website breaches sufficiently. In other words, Verizon-owned Yahoo! was trying to vague its way through the legal system. Yeah, we're using vague as a verb.

This time the settlement language listed each website hack specifically, and gives a brief explanation for each. Although it omits the reality, which is that Yahoo! suffered all these system intrusions because it was utterly incompetent and running around like a headless chicken with Marissa Mayer as CEO.

So, if you can stand it, if you can remember your Yahoo! email address, have credit monitoring, and are willing to dig out the details, then head over to the settlement website to claim your reward for putting up with Yahoo! for all those years.

Incidentally, this reporter was able to login to his old Yahoo! account (after resetting the password he’d forgotten) using just his username but can’t remember the actual email address and – amazingly – Yahoo!’s mail system isn’t working so the workaround of sending an email to a different account to discover it doesn’t work either.

Oh, Yahoo!, how we don’t miss you. ®

Other stories you might like

  • California state's gun control websites expose personal data
    And some of it may have been leaked on social media

    A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.

    According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.

    In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards. 

    Continue reading
  • Firefox kills another tracking cookie workaround
    URL query parameters won't work in version 102 of Mozilla's browser

    Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

    HTML query parameters are the jumbled characters that appear after question marks in web addresses, like Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

    On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022