// overview
What happened
In September 2016, Yahoo disclosed that 500 million accounts had been compromised in a 2014 breach. Three months later, in December 2016, the company disclosed a separate 2013 breach affecting one billion accounts. In October 2017 — under new owner Verizon — the 2013 figure was revised upward to all three billion accounts that had existed on Yahoo's services at the time.
Stolen data included names, email addresses, dates of birth, phone numbers, hashed passwords (some bcrypt, some weaker MD5), and security questions and answers — many of which were still being used by victims on other services years later.
Most damaging technically: attackers obtained the source code and infrastructure to forge Yahoo's session cookies. With these forgeries they could authenticate as any user without a password, effectively bypassing two-factor authentication and password rotation as defences.
The US Department of Justice indicted four individuals in March 2017: two FSB officers (Dmitry Dokuchaev and Igor Sushchin) and two contracted criminal hackers (Alexsey Belan and Karim Baratov). The breach disclosure during Verizon's acquisition process led to a $350 million reduction in the sale price and a SEC enforcement action — the first time the SEC fined a company specifically for failing to disclose a cyber incident promptly.
// timeline
How it unfolded
Aug 2013
First breach occurs — eventually understood to affect all 3 billion accounts.
2014
Separate intrusion compromises ~500 million accounts; cookie-forging infrastructure deployed.
Sep 22, 2016
Yahoo discloses 500M-account breach during Verizon acquisition negotiations.
Dec 14, 2016
Yahoo discloses separate 1B-account breach from 2013.
Feb 21, 2017
Verizon reduces acquisition price by $350M.
Mar 15, 2017
DOJ indicts FSB officers and criminal hackers.
Oct 3, 2017
Verizon revises 2013 breach figure to all 3 billion accounts.
Apr 24, 2018
SEC fines Yahoo $35M for delayed disclosure — a regulatory first.
// damage
Impact and scale
The Yahoo breaches were the largest in history by user count when disclosed. Beyond stolen credentials, attackers minted forged cookies that let them log into any Yahoo account without a password. The slow disclosure during Verizon merger talks became a textbook example of how disclosure timing creates material financial consequences for acquirers and shareholders.
// affected
Who was hit
- All 3 billion Yahoo accounts in existence as of 2013
- Users of Yahoo Mail, Flickr, Tumblr, and Fantasy Sports
- Verizon shareholders (acquisition price renegotiated)
- Anyone reusing Yahoo passwords on other services
// lessons
Key takeaways
- Password rotation does not save you when attackers can forge session cookies.
- MD5 is not a password hash; companies still using it in 2013 paid for it in 2016.
- Disclosure timing has material financial and regulatory consequences during M&A.
- 'Largest breach ever' records exist to be broken — Yahoo's 3B held the title until LinkedIn's scraped corpus.
