In 2013, Yahoo suffered the largest data breach in history, compromising **all 3 billion user accounts**—a figure revised upward from the initially reported 1 billion. The breach, attributed to **state-sponsored Russian hackers**, remained undetected for three years. Attackers exfiltrated **names, email addresses, phone numbers, birthdates, and hashed passwords**, while a separate 2014 intrusion exposed account security keys for over **500 million accounts**, enabling deeper access to private user data. The delayed discovery exacerbated risks, as stolen credentials were likely exploited in follow-on attacks (e.g., credential stuffing, phishing). The breach severely damaged Yahoo’s reputation, led to **regulatory fines (e.g., $35 million SEC penalty)**, and forced the company to **lower its sale price to Verizon by $350 million**. The incident underscored systemic failures in Yahoo’s security practices, including inadequate monitoring, delayed disclosure, and poor encryption standards for password storage.
Source: https://cybersecurityventures.com/yahoo-still-ranks-as-the-largest-data-breach-in-history/
TPRM report: https://www.rankiteo.com/company/yahoo
"id": "yah5062750092125",
"linkid": "yahoo",
"type": "Breach",
"date": "6/2013",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '3 billion',
'industry': 'Internet Services',
'location': 'Sunnyvale, California, USA',
'name': 'Yahoo',
'size': 'Large (3 billion user accounts)',
'type': 'Technology Company'}],
'attack_vector': ['State-sponsored hacking',
'Compromised credentials',
'Exploitation of vulnerabilities'],
'customer_advisories': ['Mandatory password resets for all users',
'Guidance on monitoring for identity theft'],
'data_breach': {'data_encryption': 'Partially (passwords were encrypted but '
'other data was not)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '3 billion (2013 breach) + 500 '
'million (2014 breach)',
'personally_identifiable_information': ['Names',
'Email addresses',
'Phone numbers',
'Birthdates'],
'sensitivity_of_data': 'High (PII, encrypted passwords, '
'account keys)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Account credentials']},
'date_detected': '2016',
'date_publicly_disclosed': '2016-12-14',
'description': 'In what is considered the largest data breach in history, all '
'3 billion Yahoo user accounts were compromised by a 2013 '
'breach that went undetected for three years. The attackers, '
'believed to be state-sponsored hackers from Russia, stole '
'names, email addresses, phone numbers, birthdates, and '
'encrypted passwords from Yahoo’s user database. A separate '
'2014 intrusion also allowed hackers to gain the account keys '
'needed to access the private information of over 500 million '
'accounts.',
'impact': {'brand_reputation_impact': 'Severe (largest breach in history)',
'data_compromised': ['Names',
'Email addresses',
'Phone numbers',
'Birthdates',
'Encrypted passwords',
'Account keys (for 500M+ accounts)'],
'identity_theft_risk': 'High',
'systems_affected': ['User database']},
'initial_access_broker': {'high_value_targets': ['User database',
'Account credentials'],
'reconnaissance_period': 'Unknown (breach remained '
'undetected for ~3 years)'},
'investigation_status': 'Closed (breach disclosed in 2016; legal settlements '
'reached)',
'lessons_learned': ['Delayed detection of breaches can exacerbate damage and '
'erode trust.',
'State-sponsored threats require advanced threat '
'detection and attribution capabilities.',
'Encryption of sensitive data (e.g., passwords) is '
'critical but not sufficient alone; additional layers of '
'security are necessary.',
'Transparency in breach disclosure, though delayed, is '
'essential for maintaining credibility.'],
'motivation': ['Espionage', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Yahoo (post-acquisition by '
'Verizon) implemented '
'stricter security '
'protocols, including '
'end-to-end encryption for '
'user data.',
'Enhanced collaboration '
'with law enforcement and '
'cybersecurity firms to '
'attribute and mitigate '
'threats.',
'User education campaigns '
'on password hygiene and '
'account security.',
'Legal settlements to '
'compensate affected users '
'and improve transparency.'],
'root_causes': ['Inadequate security controls to '
'detect unauthorized access.',
'Failure to encrypt all sensitive '
'user data (e.g., PII).',
'Lack of real-time monitoring for '
'anomalous activity.',
'Delayed incident response and '
'disclosure.']},
'recommendations': ['Implement continuous monitoring and anomaly detection to '
'identify breaches in real-time.',
'Conduct regular third-party security audits to identify '
'and remediate vulnerabilities.',
'Enhance incident response plans to include rapid public '
'disclosure and user communication strategies.',
'Adopt multi-factor authentication (MFA) and advanced '
'encryption standards for all user data.',
'Invest in threat intelligence to preemptively identify '
'and mitigate state-sponsored or advanced persistent '
'threats (APTs).'],
'references': [{'date_accessed': '2024-07-03',
'source': 'Cybercrime Magazine - 2024 Cybersecurity Almanac',
'url': 'https://cybercrimemagazine.com'},
{'source': 'Yahoo Breach Settlement (Official Court '
'Documents)'},
{'source': 'FBI Investigation Reports (Public Statements)'}],
'regulatory_compliance': {'legal_actions': ['Class-action lawsuits filed by '
'users',
'Settlement agreements']},
'response': {'communication_strategy': ['Public disclosure in 2016',
'User notifications'],
'law_enforcement_notified': 'Yes (FBI investigated)',
'remediation_measures': ['Password resets for affected users',
'Enhanced security protocols']},
'stakeholder_advisories': ['Public statements by Yahoo (now part of Verizon '
'Media/Oath)',
'FBI advisories on state-sponsored cyber threats'],
'threat_actor': 'State-sponsored hackers (believed to be from Russia)',
'title': 'Yahoo Data Breach (2013-2014)',
'type': ['Data Breach', 'Unauthorized Access']}