Data Breach

Yahoo! Data Breach

3000.0M records exposed • August 2013

Every single Yahoo account—3 billion of them—was compromised. Russian government hackers broke in and stayed for years. Yahoo didn't tell anyone for three years, only admitting it when they were about to be sold to Verizon. If you ever had a Yahoo account, your data was stolen. This is the biggest data breach in history.

What Happened

The Yahoo breach remains the largest data breach in history, affecting all 3 billion user accounts. The breach occurred in 2013 but wasn't disclosed until 2016 during Verizon's acquisition of Yahoo. Russian intelligence officers were indicted for the attack. The breach reduced Yahoo's sale price by $350 million.

Attack method: State-sponsored attack exploiting forged cookies

What Data Was Exposed

Names, Email addresses, Phone numbers, Dates of birth, Hashed passwords (MD5), Security questions and answers, Some payment card data

Is your business exposed?

What to Do If You're Affected

  1. 1.

    Change your Yahoo password immediately

  2. 2.

    Enable two-factor authentication on Yahoo account

  3. 3.

    Change password on any site where you reused your Yahoo password

  4. 4.

    Change security questions (they were stolen in plaintext)

  5. 5.

    Check for unauthorized access to linked accounts

  6. 6.

    Stop using security questions - use password manager instead

    Bitwarden

Lessons for Businesses

  • Delayed breach disclosure harms users and companies alike
  • MD5 hashing is not secure for password storage
  • Security questions are a security liability, not a feature
  • Nation-state attackers target consumer services for intelligence

Sources

Related Breaches

Linkedin, Myspace 2016, Equifax

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices