In December 2016, the California Office of the Attorney General disclosed a massive data breach affecting **Yahoo! Inc.**, originating from an August 2013 cyberattack. A third party claimed possession of stolen user data from over **one billion accounts**, marking one of the largest breaches in history. The compromised information included **names, email addresses, phone numbers, and hashed passwords**, though payment card and bank account details were reportedly not exposed. The breach, attributed to state-sponsored actors, highlighted severe vulnerabilities in Yahoo’s security infrastructure, eroding user trust and leading to significant reputational damage. The incident also triggered regulatory scrutiny, financial penalties, and a **$350 million reduction in Yahoo’s acquisition price by Verizon** due to the breach’s scale and delayed disclosure. While no direct financial fraud was tied to the stolen data, the exposure of personal credentials posed long-term risks, including phishing, identity theft, and account takeovers across other platforms where users reused passwords.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-65449
TPRM report: https://www.rankiteo.com/company/yahoo-international
"id": "yah948091725",
"linkid": "yahoo-international",
"type": "Breach",
"date": "8/2013",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,000,000,000+',
'industry': 'Technology (Internet Services)',
'location': 'Sunnyvale, California, USA',
'name': 'Yahoo! Inc.',
'size': 'Large (global operations)',
'type': 'Corporation'}],
'data_breach': {'data_encryption': 'Partially (hashed passwords)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '1,000,000,000+',
'personally_identifiable_information': ['names',
'email addresses',
'phone numbers'],
'sensitivity_of_data': 'High (includes hashed passwords)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Authentication Data']},
'date_detected': '2016-12-14',
'date_publicly_disclosed': '2016-12-14',
'description': 'On December 14, 2016, the California Office of the Attorney '
'General reported data security issues concerning Yahoo! Inc. '
'A third party claimed to have Yahoo user data that was stolen '
'in August 2013, affecting over one billion user accounts. The '
'compromised information may have included names, email '
'addresses, phone numbers, and hashed passwords, but not '
'payment card or bank account data.',
'impact': {'brand_reputation_impact': 'Severe (affected over 1 billion '
'accounts)',
'data_compromised': ['names',
'email addresses',
'phone numbers',
'hashed passwords'],
'identity_theft_risk': 'High (PII exposed)',
'payment_information_risk': 'None (payment card/bank data not '
'compromised)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (third party '
'claimed possession of '
'stolen data)'},
'references': [{'date_accessed': '2016-12-14',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'law_enforcement_notified': 'Yes (California Office of the '
'Attorney General)'},
'title': 'Yahoo Data Breach (2013, Disclosed 2016)',
'type': 'Data Breach'}