A Breach of Unprecedented Scale
In 2016, Yahoo confirmed what many had feared: a massive breach had exposed personal information tied to roughly 500 million user accounts. That was shocking enough. But in October 2017, Yahoo revised the number — every single account on the platform, all 3 billion of them, had been compromised.
This made it the single largest data breach in history, a record it still holds.
What Was Stolen
The attackers accessed:
- Names and email addresses for all 3 billion accounts
- Telephone numbers and dates of birth
- Hashed passwords using the outdated MD5 algorithm
- Security questions and answers, many of which were unencrypted
- Forged authentication cookies that allowed access without passwords
The use of MD5 for password hashing was particularly damaging. MD5 has been considered cryptographically broken since the mid-2000s, and most of these hashes could be cracked rapidly using modern hardware.
How It Happened
The breach was actually two separate incidents. The first, occurring in 2013, was the one that ultimately affected all 3 billion accounts. The second, in 2014, was linked to a state-sponsored actor and impacted 500 million accounts.
Investigators determined that the attackers gained initial access through spear-phishing emails targeting Yahoo employees. Once inside the network, they were able to access Yahoo's user database and Account Management Tool, which let them forge cookies to access any account without needing a password.
The Business Impact
The timing was catastrophic. Yahoo was in the process of being acquired by Verizon when the breaches became public. Verizon lowered its acquisition offer by $350 million, and Yahoo's then-CEO Marissa Mayer lost her annual bonus.
Beyond the financials, the breach eroded trust in one of the internet's foundational companies. Millions of users abandoned their Yahoo accounts, accelerating a decline that was already underway.
Lessons for Everyone
The Yahoo breach offers several critical lessons:
- Outdated cryptography is a ticking time bomb. MD5 and SHA-1 should never be used for password hashing. Modern algorithms like bcrypt, scrypt, or Argon2 exist specifically for this purpose.
- Security questions are fundamentally weak. When answers are stored unencrypted, they become another attack vector rather than a safeguard.
- Employee training matters. The initial compromise came through phishing — a human vulnerability, not a technical one.
- Disclosure delays compound damage. Yahoo knew about the breaches well before disclosing them publicly, which led to regulatory penalties and lawsuits.
Are You Affected?
If you had a Yahoo, Flickr, or Yahoo Fantasy Sports account before 2017, your data was part of this breach. Even if you changed your password afterward, the security questions and personal details were already exposed.
Check your exposure on LeakedSource to see exactly what data linked to your accounts has appeared in this and other breaches.