The settlement comes in the wake of a multistate investigation that found the ride-hailing company paid hackers $100,000 to conceal the breach, which exposed the names, email addresses, and cellphone numbers of those users.

Uber did not provide public notice of the breach until a year after it happened in late 2016, according to a statement from Underwood’s office.