An unauthorised third party gained access to the company's secret code to learn how to fake specific cookies, which allowed the intrusive party to have unrestricted access to almost 32 million user accounts.
The compromised information included names, email addresses, telephone numbers, hashed passwords, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers, but payment and bank information remained safe.
Source: https://www.zdnet.com/article/yahoo-says-32m-user-accounts-accessed-via-cookie-forging-attack/
TPRM report: https://scoringcyber.rankiteo.com/company/yahoo
"id": "yah1236722",
"linkid": "yahoo",
"type": "Breach",
"date": "03/2017",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"