Yahoo and Engadget Exposed in Massive Data Breach Affecting 245 Million Users
A recent cybersecurity incident has revealed a significant data exposure involving Yahoo, Engadget, and Yahoo Advertising, impacting an estimated 245 million users under the IAB Europe Transparency and Consent Framework (TCF). The breach stemmed from improper handling of technical identifiers, including browser cookies, device IDs, hashed email addresses, and IP addresses data routinely collected for analytics, targeted advertising, and user authentication.
The exposed information, while not directly tied to individual identities in its aggregated form, included precise geolocation data, browsing behavior, and device-specific details (such as OS type and session duration). These identifiers, though anonymized, can be cross-referenced to reconstruct user profiles, posing risks for tracking, phishing, or account takeovers if exploited by malicious actors.
The incident highlights vulnerabilities in third-party data-sharing practices, particularly within digital advertising ecosystems. Yahoo’s privacy policies indicate that such data is used to personalize ads, measure engagement, and enhance services, but the exposure underscores the challenges of securing vast repositories of technical identifiers even when compliance frameworks like the TCF are in place.
Users were directed to adjust their privacy settings via links to "Privacy & Cookie Settings" or "Privacy Dashboard" on affected platforms, though the breach itself appears to have resulted from systemic data collection rather than a direct cyberattack. The full scope of the exposure and its potential misuse remain under investigation.
Source: https://finance.yahoo.com/news/look-coupang-cpng-valuation-data-121653049.html
Yahoo TPRM report: https://www.rankiteo.com/company/yahoo
Yahoo Advertising TPRM report: https://www.rankiteo.com/company/yahoo
Engadget TPRM report: https://www.rankiteo.com/company/engadget
"id": "engyah1771036196",
"linkid": "engadget, yahoo",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '245 million',
'industry': 'Technology/Internet',
'name': 'Yahoo',
'type': 'Company'},
{'customers_affected': '245 million',
'industry': 'Technology Media',
'name': 'Engadget',
'type': 'Company'},
{'customers_affected': '245 million',
'industry': 'Digital Advertising',
'name': 'Yahoo Advertising',
'type': 'Company'}],
'customer_advisories': 'Users directed to adjust privacy settings via '
"'Privacy & Cookie Settings' or 'Privacy Dashboard'",
'data_breach': {'number_of_records_exposed': '245 million',
'personally_identifiable_information': 'Hashed email '
'addresses, IP '
'addresses',
'sensitivity_of_data': 'Medium (anonymized but '
'reconstructable)',
'type_of_data_compromised': 'Technical identifiers (browser '
'cookies, device IDs, hashed '
'email addresses, IP addresses), '
'geolocation data, browsing '
'behavior, device-specific '
'details'},
'description': 'A recent cybersecurity incident has revealed a significant '
'data exposure involving Yahoo, Engadget, and Yahoo '
'Advertising, impacting an estimated 245 million users under '
'the IAB Europe Transparency and Consent Framework (TCF). The '
'breach stemmed from improper handling of technical '
'identifiers, including browser cookies, device IDs, hashed '
'email addresses, and IP addresses data routinely collected '
'for analytics, targeted advertising, and user authentication. '
'The exposed information included precise geolocation data, '
'browsing behavior, and device-specific details, which can be '
'cross-referenced to reconstruct user profiles, posing risks '
'for tracking, phishing, or account takeovers.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data exposure',
'data_compromised': 'Technical identifiers (browser cookies, '
'device IDs, hashed email addresses, IP '
'addresses), precise geolocation data, '
'browsing behavior, device-specific details',
'identity_theft_risk': 'Risk of tracking, phishing, or account '
'takeovers'},
'investigation_status': 'Under investigation',
'lessons_learned': 'Vulnerabilities in third-party data-sharing practices and '
'challenges in securing vast repositories of technical '
'identifiers even under compliance frameworks like TCF.',
'post_incident_analysis': {'root_causes': 'Improper handling of technical '
'identifiers in third-party '
'data-sharing practices'},
'recommendations': 'Review and strengthen data handling practices for '
'technical identifiers, enhance user privacy controls, and '
'improve transparency in data collection and sharing.',
'regulatory_compliance': {'regulations_violated': 'Potential non-compliance '
'with IAB Europe '
'Transparency and Consent '
'Framework (TCF)'},
'response': {'remediation_measures': 'Users directed to adjust privacy '
"settings via 'Privacy & Cookie "
"Settings' or 'Privacy Dashboard'"},
'title': 'Yahoo and Engadget Exposed in Massive Data Breach Affecting 245 '
'Million Users',
'type': 'Data Exposure',
'vulnerability_exploited': 'Improper handling of technical identifiers'}