Yahoo: 3 Billion Accounts — Every Single One
Yahoo disclosed in 2016 that it had suffered two separate breaches — one in 2013 affecting all 3 billion accounts and one in 2014 affecting 500 million. The 2013 breach was not discovered for three years.
Background
Yahoo was in the process of being acquired by Verizon when it disclosed its 2014 breach in September 2016. Two months later, it disclosed the 2013 breach — initially claiming 1 billion accounts. The true figure of 3 billion was revealed only after the Verizon acquisition completed.
The Attack
The 2014 breach involved a nation-state actor — later indicted Russian FSB officers and their associates — who accessed Yahoo's user database via a stolen cookie forgery capability. The 2013 breach exploited a different vulnerability. In both cases, Yahoo used MD5 hashing for passwords — an algorithm considered broken since 2004. The attackers exfiltrated names, email addresses, phone numbers, dates of birth, hashed passwords, and security questions and answers (stored in plaintext).
Response
Yahoo required password resets for all affected accounts. The Verizon deal was renegotiated to reduce the purchase price by $350 million. Yahoo renamed its operating company Altaba and installed new leadership. The company paid $85 million to settle a class action and $35 million in SEC fines for delayed disclosure.
Outcome
The Yahoo breach remains the largest data breach in history by account count. The delayed disclosure — over three years in the 2013 case — became a landmark in the debate over mandatory breach notification timelines. The SEC fine for disclosure delay was a first.
Key Takeaways
- MD5 is not a password hashing function — use bcrypt, scrypt, or Argon2
- Security questions and answers must never be stored in plaintext
- Breach discovery-to-disclosure gaps of years cause compounding harm to users
- Cookie forgery attacks can bypass password authentication entirely — session tokens need expiry and rotation