Skip to content
Data breachResolved

Yahoo data breaches (3 billion accounts)

Two separate breaches — disclosed in 2016 but stretching back to 2013 and 2014 — exposed every Yahoo account in existence. Three billion accounts: the largest single-company data exposure in history.

Victim
Yahoo!
Loss
$470.0M
records
3.00B
users
3.00B

The Yahoo data breaches — two separate incidents in August 2013 and late 2014, both disclosed in September and December 2016 — remain the largest single-company data exposure in history. The total reached 3 billion accounts: effectively every Yahoo user who had ever existed, including Flickr, Tumblr, Yahoo Mail, and Yahoo Finance accounts that shared the central authentication database.

The two breaches

The breaches were separate operations with different attackers and different scopes:

2014 breach (500M accounts)

The 2014 breach was the state-sponsored operation. U.S. DOJ indictments unsealed in March 2017 named two officers of Russia's FSB — Dmitry Dokuchaev and Igor Sushchin — as the operation's principals, working with two contracted cybercriminals (Alexsey Belan, a Latvian, and Karim Baratov, a Kazakh-born Canadian). The operation:

  • Compromised Yahoo's internal user database.
  • Exfiltrated personal data on approximately 500 million accounts.
  • Crucially, gave the operators the ability to forge Yahoo authentication cookies — meaning they could log into any targeted account, including diplomats, military officers, journalists, and corporate executives, without needing the user's password.

The cookie-forging capability is the strategic part of the breach. Bulk data exfiltration was extraction; the forgery capability was an ongoing espionage capability against targeted users, used selectively over the following years. The 500M-account dataset was the "card index" from which targets were selected.

2013 breach (3 billion accounts)

The 2013 breach was larger but technically simpler. An unattributed (likely criminal) actor exfiltrated the user database for every Yahoo account in existence at the time — 3 billion accounts including names, email addresses, MD5-hashed passwords, dates of birth, security questions, and recovery email addresses.

The MD5 hashing is critical: with modest computational effort, MD5 hashes of common passwords are trivially crackable. The 2013 dataset is assumed to have been monetised broadly on criminal markets in the years since.

Verizon and the acquisition

The breaches were disclosed during the final stages of Verizon's $4.83 billion acquisition of Yahoo's core business, agreed in July 2016. When the September 2016 disclosure landed, Verizon negotiated a $350 million reduction in the price and renegotiated the deal closing date and liability allocation. The 2013 disclosure followed in December and added further pressure.

The acquisition closed in mid-2017 at the renegotiated price. The cost of the breach to Verizon — beyond the price discount — included taking on remediation, class action exposure, and an SEC enforcement action.

Impact

  • 3 billion accounts had personal data exposed — every Yahoo user in existence at the time.
  • $350M discount on the Verizon acquisition price.
  • $117.5M class action settlement in 2019 covering 200M U.S. and Israeli account holders.
  • $35M SEC fine in April 2018 against Altaba (Yahoo's renamed successor) for failing to disclose the 2014 breach in a timely manner — the first SEC enforcement action against a U.S. public company for delayed breach disclosure, and the precedent for subsequent SEC enforcement actions including the 2023 mandatory 4-day disclosure rule.

Attribution

The U.S. DOJ indictment of March 2017 names four individuals for the 2014 breach:

  • Dmitry Dokuchaev (FSB Centre 18 officer; subsequently arrested in Russia on unrelated treason charges)
  • Igor Sushchin (FSB officer, in Russia)
  • Alexsey Belan (Latvian cybercriminal, in Russia and beyond extradition reach)
  • Karim Baratov (Kazakh-born Canadian; arrested 2017 in Canada, extradited and convicted in U.S. in 2018, sentenced to 5 years)

Baratov is one of the very few people to actually be convicted in connection with a major state-cyber operation. He had been hired by the FSB officers to phish individual accounts targeted via the Yahoo database.

The 2013 breach attribution remains unresolved.

Why it matters

Yahoo is the canonical case for several distinct lessons:

  • The "blast radius" of a centralised identity database: a single compromised authentication system exposed users across every Yahoo product. Federated and zero-trust designs have since become the norm partly in response.
  • Disclosure delay carries SEC liability: the 2018 Altaba fine was the first U.S. enforcement action for a public company's failure to disclose a breach in a timely manner. Every subsequent SEC cybersecurity disclosure rule traces back to Yahoo's two-year delay.
  • State-sponsored access to consumer email is a long-term espionage capability, not a one-time data extraction. The 2014 cookie-forgery capability gave the FSB operators ongoing access to selected targets — not just the 500M-record dataset.

Financial impact

Reported costs in USD

Total reported loss
470.0M
USD · $470,000,000
  • Business loss$350.0M
  • Remediation$50.0M
  • Fines & settlements$117.5M

Timeline

  1. Unknown attackers exfiltrate the user database for every Yahoo account in existence at the time — approximately 3 billion accounts, including names, email addresses, hashed passwords (MD5), dates of birth, and security questions.

  2. Russian FSB-tasked operators compromise Yahoo's internal systems and exfiltrate a subset of approximately 500 million accounts. The 2014 access also gave operators the ability to forge authentication cookies for targeted accounts.

  3. Yahoo publicly discloses the 2014 breach — 500M accounts — during ongoing acquisition negotiations with Verizon.

  4. Yahoo discloses the separate 2013 breach affecting 1 billion accounts.

  5. Verizon negotiates the Yahoo acquisition price down by $350 million from the original $4.83B agreed in July 2016.

  6. U.S. DOJ indicts four people for the 2014 breach: two FSB officers (Dmitry Dokuchaev, Igor Sushchin) and two contracted criminals (Alexsey Belan, Karim Baratov).

  7. Yahoo expands the 2013 disclosure: all 3 billion accounts were affected, not 1 billion.

  8. U.S. SEC fines Altaba (Yahoo's renamed successor) $35M for failing to disclose the 2014 breach in a timely manner — first SEC fine for delayed breach disclosure.

  9. Yahoo agrees to a $117.5M class action settlement covering 200M U.S. and Israeli account holders.

Sources

  1. justice.govhttps://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions
  2. sec.govhttps://www.sec.gov/news/press-release/2018-71
  3. reuters.comhttps://www.reuters.com/article/us-yahoo-cyber-idUSKBN1591TI

Related incidents

Data breachResolved

AbuseWith.Us data breach (2016)

In 2016, the site dedicated to helping people hack email and online gaming accounts known as Abusewith.us suffered multiple data breaches. The site allegedly had an administrator in common with the nefarious LeakedSource site, both of which have since been shut down.

Victim
AbuseWith.Us
Records
1.4M
Data breachResolved

MySpace credentials breach

Credentials for roughly 360 million pre-2013 MySpace accounts surfaced for sale on the dark web in 2016. The passwords were stored as unsalted SHA-1 hashes, making one of the largest credential dumps ever disclosed trivially crackable.

Victim
MySpace (Time Inc.)
Records
360.0M
Data breachOngoing

Nintendo employee survey data stolen via third-party TinyPulse platform

Nintendo of America confirmed that threat actors stole internal employee survey data from TinyPulse, a third-party HR engagement platform it used, after the SHADOWBYT3$ group claimed to have exfiltrated about 859 MB of data and demanded a US$2 million ransom — while stressing that Nintendo's own systems and customer data were not affected.

Victim
Nintendo of America