Further, they had to deal with changing all their passwords and securing new identification information to make sure nobody can steal their identities. When the breach was first announced, Yahoo said customers' "names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers" were stolen. That's why some of the plaintiffs even spent money on identity theft protection services.
If you'll recall, Yahoo confirmed last year that hackers stole data linked to over a billion accounts. Worse, that happened way back in 2013 -- it took the company three years to admit to its users that their information was at risk. A second breach that hit the company in 2014 affected 500 million accounts, while the third major breach happened sometime in 2015 and 2016. The Department of Justice indicted four Russians over the cyber intrusions earlier this year: two of them worked for Russia's Foreign Intelligence Service, while the other two were hired to help them out.
Since Yahoo admitted the security breaches in the middle of the Verizon acquisition, it had an effect on the carrier's offer. Big Red ended up buying the company for $4.48 billion, down hundreds of millions from the original $4.83 billion it was going to pay.
Full disclosure: Engadget also operates under Verizon's Oath umbrella.