Table of Contents
The Yahoo data breaches hold a singular distinction in cybersecurity history: every single Yahoo account – all 3 billion of them – was compromised. The breaches, which occurred in 2013 and 2014 but were not disclosed until 2016, represent the largest data breach ever recorded and one of the most consequential failures of corporate transparency. State-sponsored hackers, years of delayed disclosure, and a massive acquisition disrupted – the Yahoo breach saga shaped how we think about data security, corporate accountability, and the lasting damage of compromised credentials. As part of our Data Breaches & Identity Protection guide, this article examines what happened, why it still matters nearly a decade later, and what lessons it holds for personal security.
What Happened: Timeline
Late 2014: The State-Sponsored Breach
In late 2014, hackers linked to Russia’s Federal Security Service (FSB) breached Yahoo’s network and accessed data for approximately 500 million user accounts. The attackers used a combination of spear-phishing emails and exploitation of Yahoo’s internal tools to gain access to the user database.
The attack was sophisticated and targeted. The FSB operatives were primarily interested in the email accounts of Russian journalists, US and Russian government officials, and private sector employees in finance and technology. However, they accessed the broader user database in the process.
Yahoo did not disclose this breach for nearly two years.
August 2013: The Larger Breach
In August 2013 – before the FSB attack – a separate group of hackers breached Yahoo and stole data from all Yahoo user accounts. The full scope of this breach was not understood until years later.
This breach was initially disclosed in December 2016 as affecting “more than one billion accounts.” In October 2017, Yahoo (by then owned by Verizon) revised the number upward to all 3 billion accounts – every Yahoo account that existed at the time.
September 2016: First Public Disclosure
On September 22, 2016, Yahoo publicly disclosed the 2014 breach (the 500-million-account incident), attributing it to a “state-sponsored actor.” The timing was significant: Yahoo was in the process of negotiating its sale to Verizon Communications for $4.83 billion. The disclosure came after the sale agreement was signed but before it closed.
December 2016: The Bigger Breach Disclosed
On December 14, 2016, Yahoo disclosed the 2013 breach, initially reporting that more than 1 billion accounts were affected. This second disclosure, coming just three months after the first, compounded the reputational damage and raised serious questions about what Yahoo’s leadership knew and when.
March 2017: DOJ Indictments
The US Department of Justice indicted four individuals for the 2014 breach: two officers of Russia’s FSB (Dmitry Dokuchaev and Igor Sushchin) and two criminal hackers (Alexsey Belan and Karim Baratov) who were recruited by the FSB operatives. Baratov, a Canadian citizen, was arrested and eventually sentenced to five years in prison. The Russian defendants remain at large.
June 2017: Verizon Acquisition Closes
Verizon completed its acquisition of Yahoo in June 2017, but at a reduced price of $4.48 billion – $350 million less than the original agreement. The price reduction was directly attributed to the breach disclosures.
October 2017: The Full 3 Billion
Verizon-owned Yahoo revised the 2013 breach figure to encompass all 3 billion user accounts, making it the largest data breach in history – a record it still holds.
What Was Exposed
The 2013 Breach (3 Billion Accounts)
- Names, email addresses, and dates of birth
- Phone numbers (where provided)
- Hashed passwords using the MD5 algorithm (a weak hashing function known to be easily cracked)
- Security questions and answers (some encrypted, some in plaintext)
- Account recovery email addresses
The 2014 Breach (500 Million Accounts)
- Names, email addresses, and dates of birth
- Phone numbers
- Hashed passwords (bcrypt in some cases, MD5 in others)
- Security questions and answers (encrypted and unencrypted)
- Information about forged authentication cookies that allowed attackers to access accounts without passwords
The Forged Cookie Problem
One of the most technically significant aspects of the 2014 breach was the attackers’ ability to forge authentication cookies. Yahoo’s session management system had a weakness that allowed the attackers to create cookies granting access to any Yahoo account without knowing the password. This meant the attackers could read emails, access Yahoo services, and impersonate users silently.
How It Happened
The 2014 Breach: State-Sponsored Attack
The FSB-linked attackers used a combination of techniques:
- Spear-phishing emails targeted Yahoo employees with access to user management tools
- Internal tools exploitation allowed the attackers to query the user database and generate access cookies
- Persistent access was maintained through backdoors, allowing the attackers to return over an extended period
- Lateral movement through Yahoo’s network gave the attackers access to systems beyond the initially compromised entry points
The involvement of state-sponsored actors distinguished this from a typical criminal breach. The FSB operatives had specific intelligence targets but accessed the broader database in the process.
The 2013 Breach: Criminal Attack
The 2013 breach was attributed to a criminal group rather than a state actor. The specific technical details of the attack have been less thoroughly documented, but the scope – all 3 billion accounts – suggests a deep compromise of Yahoo’s core user database infrastructure.
Systemic Security Weaknesses
Both breaches were enabled by systemic weaknesses in Yahoo’s security posture:
- Weak password hashing: The use of MD5 for password hashing was considered inadequate even in 2013. MD5 hashes can be cracked at rates of billions per second on modern hardware.
- Plaintext security questions: Storing security question answers without encryption is a fundamental security failure.
- Cookie forging vulnerability: The ability to forge authentication cookies represents a critical flaw in session management.
- Delayed detection: The 2013 breach went undetected for approximately three years. The 2014 breach was detected but not disclosed for two years.
- Insufficient security investment: Former Yahoo security team members later reported that the company’s leadership consistently prioritized product features over security investments.
Impact
The $350 Million Price Reduction
The most immediately quantifiable impact was the $350 million reduction in Verizon’s acquisition price. This represented roughly 7% of the original deal value and established a precedent for breach-related acquisition price adjustments.
SEC Settlement
In April 2018, the SEC fined Altaba (the entity that remained after Yahoo’s operating business was sold to Verizon) $35 million for failing to disclose the 2014 breach in a timely manner. The SEC specifically cited Yahoo’s failure to inform investors about a known data breach during the Verizon acquisition process.
User Settlement
In 2020, a $117.5 million settlement was reached in the class action lawsuit brought by Yahoo users. The settlement provided credit monitoring, cash reimbursement for out-of-pocket losses, and a fund for affected users.
Lasting Impact on Credential Security
The 3 billion Yahoo accounts compromised in 2013 created an enormous reservoir of stolen credentials. Many users reused their Yahoo passwords on other services, fueling years of credential stuffing attacks across the internet. The Yahoo breach data became one of the most widely traded datasets in criminal markets and remains in circulation today.
Security questions and answers stolen from Yahoo were particularly damaging because people tend to use the same security questions across multiple services. Knowing someone’s mother’s maiden name, their first pet’s name, or the city they were born in gives attackers answers that work across banking, insurance, and government websites.
Lessons for Users
Lesson 1: Delayed Disclosure Is the Norm, Not the Exception
Yahoo knew about the 2014 breach for two years before disclosing it. The 2013 breach went undetected for three years. This pattern of delayed discovery and disclosure is common across the industry. You cannot rely on companies to tell you promptly when your data has been compromised.
Lesson 2: MD5 and Weak Hashing Mean Your Password Was Cracked
If your Yahoo password was hashed with MD5 (as most were in the 2013 breach), it was almost certainly cracked within days or weeks of the breach. MD5 is so weak that modern hardware can test billions of combinations per second. If you used that password anywhere else, those accounts were also vulnerable.
Lesson 3: Security Questions Are a Liability
The Yahoo breach exposed security question answers – information that many people use across multiple services. “What is your mother’s maiden name?” and similar questions create a shared vulnerability across every service that uses them. Going forward, treat security question answers as passwords: use random, unique answers stored in your password manager rather than truthful responses.
Lesson 4: State-Sponsored Attacks Affect Everyone
The 2014 breach targeted specific individuals but compromised 500 million accounts in the process. State-sponsored attackers operate at a scale that affects entire populations, not just their specific targets. You do not need to be a person of interest to be collateral damage.
Lesson 5: Breach Data Has a Long Half-Life
The Yahoo breach data from 2013 is still actively used in credential stuffing attacks in 2026. Stolen credentials and personal information do not expire. They circulate in criminal markets indefinitely and are used for years after the initial breach.
How to Protect Yourself
Even if you have not used Yahoo in years, the stolen data may still affect you:
Change any password that was the same as your old Yahoo password. If you used the same password on other services, those accounts are at risk from credential stuffing.
Use a password manager to generate and store unique passwords for every account. PanicVault stores your encrypted vault locally on your Apple devices using the KeePass format, giving you complete control over your credential data without relying on a cloud service that could be breached.
Replace truthful security question answers with random strings stored in your password manager. If a site asks for your mother’s maiden name, enter a random string like “T8qm-Px4n” instead. This prevents stolen Yahoo security answers from being used against your other accounts.
Enable multi-factor authentication on all accounts, starting with email accounts (which are often the keys to resetting passwords on other services).
Check your breach exposure using Have I Been Pwned to see if your Yahoo email and other accounts appear in known breaches.
Freeze your credit if you have not already. The personal information from the Yahoo breach (name, date of birth, phone number) combined with data from other breaches may be sufficient for identity fraud.
Monitor the dark web for your email addresses and personal information appearing in new criminal listings.
Close unused Yahoo accounts if you no longer need them. Dormant accounts with old credentials are easy targets.
The Yahoo breach serves as a permanent reminder of two realities: companies may not discover or disclose breaches for years, and stolen data never expires. The passwords, security questions, and personal details stolen in 2013 are still being exploited more than a decade later. The only effective defense against this permanence is to ensure that every credential is unique, every account has MFA, and your personal security does not depend on any single company’s ability to protect its systems.
