Yahoo data breaches (3 billion accounts)

The Yahoo data breaches — two separate incidents in August 2013 and late 2014, both disclosed in September and December 2016 — remain the largest single-company data exposure in history. The total reached 3 billion accounts: effectively every Yahoo user who had ever existed, including Flickr, Tumblr, Yahoo Mail, and Yahoo Finance accounts that shared the central authentication database.

The two breaches

The breaches were separate operations with different attackers and different scopes:

2014 breach (500M accounts)

The 2014 breach was the state-sponsored operation. U.S. DOJ indictments unsealed in March 2017 named two officers of Russia's FSB — Dmitry Dokuchaev and Igor Sushchin — as the operation's principals, working with two contracted cybercriminals (Alexsey Belan, a Latvian, and Karim Baratov, a Kazakh-born Canadian). The operation:

• Compromised Yahoo's internal user database.
• Exfiltrated personal data on approximately 500 million accounts.
• Crucially, gave the operators the ability to forge Yahoo authentication cookies — meaning they could log into any targeted account, including diplomats, military officers, journalists, and corporate executives, without needing the user's password.

The cookie-forging capability is the strategic part of the breach. Bulk data exfiltration was extraction; the forgery capability was an ongoing espionage capability against targeted users, used selectively over the following years. The 500M-account dataset was the "card index" from which targets were selected.

2013 breach (3 billion accounts)

The 2013 breach was larger but technically simpler. An unattributed (likely criminal) actor exfiltrated the user database for every Yahoo account in existence at the time — 3 billion accounts including names, email addresses, MD5-hashed passwords, dates of birth, security questions, and recovery email addresses.

The MD5 hashing is critical: with modest computational effort, MD5 hashes of common passwords are trivially crackable. The 2013 dataset is assumed to have been monetised broadly on criminal markets in the years since.

Verizon and the acquisition

The breaches were disclosed during the final stages of Verizon's $4.83 billion acquisition of Yahoo's core business, agreed in July 2016. When the September 2016 disclosure landed, Verizon negotiated a $350 million reduction in the price and renegotiated the deal closing date and liability allocation. The 2013 disclosure followed in December and added further pressure.

The acquisition closed in mid-2017 at the renegotiated price. The cost of the breach to Verizon — beyond the price discount — included taking on remediation, class action exposure, and an SEC enforcement action.

Impact

• 3 billion accounts had personal data exposed — every Yahoo user in existence at the time.
• $350M discount on the Verizon acquisition price.
• $117.5M class action settlement in 2019 covering 200M U.S. and Israeli account holders.
• $35M SEC fine in April 2018 against Altaba (Yahoo's renamed successor) for failing to disclose the 2014 breach in a timely manner — the first SEC enforcement action against a U.S. public company for delayed breach disclosure, and the precedent for subsequent SEC enforcement actions including the 2023 mandatory 4-day disclosure rule.

Attribution

The U.S. DOJ indictment of March 2017 names four individuals for the 2014 breach:

• Dmitry Dokuchaev (FSB Centre 18 officer; subsequently arrested in Russia on unrelated treason charges)
• Igor Sushchin (FSB officer, in Russia)
• Alexsey Belan (Latvian cybercriminal, in Russia and beyond extradition reach)
• Karim Baratov (Kazakh-born Canadian; arrested 2017 in Canada, extradited and convicted in U.S. in 2018, sentenced to 5 years)

Baratov is one of the very few people to actually be convicted in connection with a major state-cyber operation. He had been hired by the FSB officers to phish individual accounts targeted via the Yahoo database.

The 2013 breach attribution remains unresolved.

Why it matters

Yahoo is the canonical case for several distinct lessons:

• The "blast radius" of a centralised identity database: a single compromised authentication system exposed users across every Yahoo product. Federated and zero-trust designs have since become the norm partly in response.
• Disclosure delay carries SEC liability: the 2018 Altaba fine was the first U.S. enforcement action for a public company's failure to disclose a breach in a timely manner. Every subsequent SEC cybersecurity disclosure rule traces back to Yahoo's two-year delay.
• State-sponsored access to consumer email is a long-term espionage capability, not a one-time data extraction. The 2014 cookie-forgery capability gave the FSB operators ongoing access to selected targets — not just the 500M-record dataset.