Yahoo — three-billion account breach

Yahoo’s data-breach story is told in three disclosures, each more consequential than the last. In September 2016, Yahoo announced that 500 million account records had been stolen in a 2014 breach. In December 2016 the company disclosed a separate 2013 breach affecting 1 billion accounts. In October 2017 Yahoo updated the 2013 figure to 3 billion accounts — every Yahoo account in existence at the time of the breach, including all Yahoo Mail, Tumblr, Flickr and Yahoo-affiliated accounts.

The 2014 breach was attributed by the US Department of Justice in March 2017 to two Russian Federal Security Service (FSB) officers — Dmitry Dokuchaev and Igor Sushchin — and two criminal hackers, Alexsey Belan and Karim Baratov, working at the FSB’s direction. The indictment described the operation as state-tasked intelligence collection that ran in parallel with personal financial fraud committed by the criminal participants — Belan was already on the FBI’s most-wanted cybercriminals list at the time of the indictment. Baratov was extradited from Canada to the US and convicted; the others remained at large in Russia.

The data exfiltrated included names, email addresses, phone numbers, dates of birth, hashed passwords (using the cryptographically broken MD5 algorithm in many cases), security questions and answers, and unencrypted backup-email contact details. Yahoo’s password hashing was inadequate by 2013 standards and trivially crackable by 2017. The unencrypted security questions and answers — “What was the name of your first pet” — became the basis for further account takeovers across the global identity ecosystem, since the same answers were used at thousands of other services.

The 2016 disclosures occurred during Verizon’s pending acquisition of Yahoo’s core internet business. Verizon negotiated a $350 million reduction in the acquisition price, completed the acquisition in 2017, and renamed the combined entity Oath (later Verizon Media, then Yahoo Inc. again under different ownership). Yahoo settled SEC charges over disclosure-controls failures for $35 million in 2018, and a class action for $117.5 million in 2020.

Defender takeaway: Yahoo is the case study for “encryption is what saves you when the database is taken”. Storing passwords as MD5 hashes was inadequate even by 2013 standards (bcrypt and PBKDF2 had been recommended for over a decade) and left every affected user with credentials that could be cracked offline at scale. The security-questions-and-answers data was a more subtle leak: it provided enduring credentials for password-reset flows at every other site that used the same questions, and could not be rotated. The structural lesson is that the perimeter security at internet platforms that hold the personal data of three billion people has to anticipate state-sponsored intelligence-collection campaigns alongside criminal activity. The disclosure-timing lesson — Yahoo’s three-and-a-half-year gap between the 2013 breach and its eventual full disclosure — drove the SEC’s subsequent rule-making on cybersecurity-incident disclosure deadlines.