
Yahoo Customer Data Security Breach Litigation Settlement - denzil_correa
https://yahoodatabreachsettlement.com/
======
7dare
Out of curiosity, why does this apply to US and Isreal residents? Is there a
legal framework that makes Isarelis eligible for these kinds of settlments
automatically?

------
Hitton
The settlement potentially includes up to 194 million people, so if even just
small part of people asks for money, they'll get just dollars. Situation with
Equifax repeats itself.

~~~
i_cant_speel
Good thing we have the option to get free credit monitoring... that we just
received from the last time our data was carelessly handled.

~~~
cobookman
Maybe now would be a good time to create a credit monitoring startup.

------
ceejayoz
How long before an identity thief pays PR Newswire to run a story on <major
company> data breach settlement and harvest all the PII requested on these
sorts of settlement claim forms?

yahoodatabreachsettlement.com just looks scammy as hell. It's a pity there's
not a .gov domain set up for this sort of thing - when there's a settlement, a
court order gets issued for yahoo.settlements.gov to get set up.

~~~
jannes
Yep, it does look scammy as hell. I got an email from Yahoo about this
settlement about a week ago and at first I thought it was spam.

From: info@service.comms.yahoo.net

Subject: Yahoo Security Breach Proposed Settlement

If you had a Yahoo account anytime in 2012 through 2016, a pending class
action settlement may affect you.

A Class Action Settlement has been proposed in litigation against Yahoo! Inc.
(“Yahoo”) and Aabaco Small Business, LLC (together, called “Defendants” in
this notice), relating to data breaches (malicious actors got into system and
personal data was taken) occurring in 2013 through 2016, as well as to data
security intrusions (malicious actors got into system but no data appears to
have been taken) occurring in early 2012 (collectively, the “Data Breaches”).

....

~~~
willis936
Yahoo is a scam in its entirety. Even their support page feels like it exists
to funnel personal information to spam databases.

------
ryanlol
Credit monitoring is snake oil. These settlements are universally bullshit and
mostly benefit snake oil vendors and not consumers.

Also FWIW the damage figures are also nonsense, how much can the equifax leak
hurt anyone if their data was already for sale on ssndob? Almost all Americans
have had their information compromised in hacks they’ve never heard of.

Am I wrong?

~~~
u801e
> Credit monitoring is snake oil.

What we really need is to shift the burden of proof from the consumer to the
lender. If the lender cannot establish beyond a reasonable doubt that they
entered into a contact with the consumer, then the consumer can sue them. Just
having the SSN, name, address of the consumer, etc. shouldn't be enough to
prove the lender entered into a contact with the consumer.

~~~
ryanlol
>then the consumer can sue them

For what? The consumer isn’t responsible anyway if the lender gets defrauded.

Is the fraud in itself not enough of a punishment for the lender?

I’d argue that the real problem here are the regulators who have shaped this
broken system. Not the lack of punishments for existing within it.

>Just having the SSN, name, address of the consumer, etc. shouldn't be enough
to prove the lender entered into a contact with the consumer.

It isn’t. The lender enters into a contract with a fraudster and gets fucked.
The lender is the victim, not the consumer.

~~~
magashna
I had trouble getting an apartment because of credit fraud. Was I not a victim
in the situation? I had to spend hours on the phone over months getting my
credit report cleared. I guess I'm being entitled and poor ole Bank of America
was the real victim here.

~~~
ryandrake
Customers shouldn’t have to be on the phone for days to solve a bank’s
problem. Credit fraud (please don’t help banks by calling it identity theft)
should be handled like American Express handles credit card fraud. I see a
fraudulent charge on my bill, I call up AMEX one time and tell them this
charge is fraud, and that’s it! They take it from there, restore the balance,
do the investigation and charge back the vendor. They usually ask that you at
least try to get in touch with the vendor first and that’s reasonable.

Maybe I’ve been lucky but every time I’ve had to do a chargeback it’s been
this smooth.

Credit reporting should be the same. I should get a statement in the mail
every month from these agencies showing all credit activity and inquiries, and
have a simple and painless way to dispute fraudulent data.

I should also be able to opt out and not participate in the credit reporting
system but that’s a topic for a different thread.

------
iflywithbook
"Under the terms of the Settlement, Yahoo has enhanced, or, through its
successor in interest, Oath Holdings Inc. (“Oath”), continues to enhance its
business practices that will improve the security of its users’ personal
information stored on its databases. Defendants will also pay for a Settlement
Fund of $117,500,000. The Settlement Fund will provide a minimum of two years
of Credit Monitoring Services to protect Settlement Class Members from future
harm, or an alternative cash payment for those who verify they already have
credit monitoring or identity protection."

~~~
koolba
Why do judges agree to forcing consumers to have useless product of credit
monitoring in place to receive a cash payout?

Can I set up a “virtual” credit monitoring that provides that type of service
in name only to cover that requirement? Imagine paying $5 to claim you have
credit monitoring for settlement purposes.

~~~
ocdtrekkie
I mean, you should have one from one of the many previous breaches. Also,
arguably your credit card or mortgage company may be providing you enough
monitoring to claim you have it. For those who suffered under TurboTax, Intuit
offers a free credit monitoring service as well.

Credit monitoring, like antivirus, is something you should have, but should
not be paying for.

~~~
mindslight
It's 2019. "Credit monitoring", like antivirus, is something you simply should
not have. Rather, you should take steps to avoid being beholden to broken
systems in the first place.

For "credit monitoring" specifically, individuals should not be doing the
surveillance bureau's work _for them_. If lenders don't think it is necessary
to do diligence when issuing credit, then why should I make up for it by half-
policing [0] use of my public identifiers? The more painful fraud is for
lenders, the more incentive they have to actually do some diligence rather
than trying to push their lack of responsibility onto everyone else.

[0] If I had total legal control over the use of my public identifiers, I
would simply tell the surveillance bureaus to delete all data kept on me. But
we are not given this option, which indicates how the surveillance bureaus do
not work for us. The less we give them, the better.

~~~
ocdtrekkie
Well, I have a mortgage, so not being beholden to them isn't really an option.

~~~
mindslight
It seems that already having a mortgage means you're much less beholden than
someone who intends to apply for one in the future...

------
Ambele
I bet with the right commands (ex:SQL Injection Commands), you could make this
settlement fund print out it's records. Look at how unnecessarily verbose and
pretty the error message output is:
[https://yahoodatabreachsettlement.com/x](https://yahoodatabreachsettlement.com/x)

I haven't tried it but it looks ripe for attack. A security noob could try
using SQLMap and Nikto. If that were to happen though, would there be a class
action lawsuit against the class action settlement team?

------
ping_pong
Is it worth it to sign up? I get so many notices for settlements and they all
want my SSN, I would rather keep that private rather than give it away for
what is likely to be a very small settlement.

