2013: Yahoo Breach: All 3 Billion Accounts Compromised
Imagine a break-in so massive that every single person who ever used the service was affected. Not most of them. Not a significant portion. Every last one. That’s the Yahoo breach of 2013 — a security catastrophe so vast that when the full scope was finally revealed four years later, it affected all 3 billion Yahoo user accounts, making it the largest data breach in the history of the internet. It’s a record that still stands, and one that nobody wants to break.
The Breach Nobody Knew About
The most unsettling aspect of the Yahoo breach isn’t its size — it’s how long it remained hidden. The breach occurred in August 2013, but Yahoo didn’t disclose it until December 2016, more than three years later. And even that disclosure was incomplete: Yahoo initially reported that 1 billion accounts had been affected. It wasn’t until October 2017 — four years after the breach — that the company revised the number to all 3 billion accounts.
Three billion accounts means three billion sets of names, email addresses, telephone numbers, dates of birth, and hashed passwords. In many cases, the stolen data also included security questions and answers — some of which were stored unencrypted. For the hundreds of millions of people who reused their Yahoo password on other sites, the breach created cascading vulnerabilities across their entire digital lives.
The Other Breach
To make matters worse, the 2013 breach wasn’t Yahoo’s only major security incident. In September 2014, a separate breach — this one attributed to state-sponsored hackers — compromised approximately 500 million Yahoo accounts. Yahoo disclosed this breach in September 2016, shortly before disclosing the larger 2013 breach.
The 2014 breach was significant in its own right: the stolen data included names, email addresses, phone numbers, dates of birth, hashed passwords, and security questions. The U.S. Department of Justice later indicted four individuals, including two officers of Russia’s Federal Security Service (FSB), in connection with this breach.
Two massive breaches, years of delayed disclosure, state-sponsored hackers — Yahoo’s security situation was catastrophic from every angle.
The Password Problem
The Yahoo breach highlighted a critical security failing: Yahoo was using MD5 to hash user passwords. MD5 is a hashing algorithm that was known to be cryptographically weak by the early 2000s. By 2013, MD5 hashes could be cracked with commodity hardware in minutes or hours, depending on password complexity.
More modern hashing algorithms like bcrypt, which Yahoo had been transitioning to, add computational cost that makes brute-force cracking impractical. But the millions of accounts still protected by MD5 hashes were essentially exposed in plaintext once the database was stolen.
This was compounded by the unencrypted security questions. If your Yahoo security question was “What is your mother’s maiden name?” and the answer was stored in plaintext, that information was immediately useful — not just for Yahoo, but for any other account that used the same security question.
Impact on the Verizon Deal
The timing of the breach disclosures was particularly damaging because Yahoo was in the process of being acquired by Verizon Communications. Verizon had agreed to buy Yahoo’s internet business for $4.83 billion in July 2016. When the breaches were disclosed in late 2016 and early 2017, Verizon renegotiated.
The final result: Verizon reduced its offer by $350 million, closing the deal at $4.48 billion in June 2017. But the financial penalty was arguably the least of Yahoo’s problems. The breach disclosures shattered trust in Yahoo’s security practices and accelerated the exodus of users from Yahoo Mail to Gmail and other services.
The Legal Aftermath
The fallout from the Yahoo breaches was extensive and expensive. In 2018, the SEC fined Yahoo’s successor company, Altaba, $35 million for failing to disclose the 2014 breach to investors in a timely manner — the first time the SEC had penalized a company for a data breach disclosure failure.
Multiple class-action lawsuits were filed on behalf of affected users. In 2019, Yahoo agreed to a settlement that included $117.5 million in cash — later reduced and renegotiated — along with identity theft protection services for affected users.
Yahoo’s Chief Information Security Officer, Alex Stamos, had reportedly left the company in 2015, partly due to frustration with senior management’s response to security concerns. Other security staff departures followed. The organizational dysfunction that allowed two massive breaches to go undisclosed for years was, by many accounts, a cultural problem as much as a technical one.
Why It Matters
The Yahoo breach holds lessons that remain relevant for anyone who uses email. First, if your email service has been breached, change your password immediately — and change it on every other site where you used the same password. Password reuse is the force multiplier that turns a single breach into a personal security catastrophe.
Second, use unique, strong passwords for every service, managed by a password manager. If the Yahoo breach teaches one thing, it’s that even the largest companies can fail at protecting your credentials.
Third, enable two-factor authentication everywhere it’s available. A stolen password is useless to an attacker if they also need your phone to log in.
The Yahoo breach is a reminder that email security starts with the basics. For email marketers, protecting your sending reputation starts with proper authentication — learn how SPF, DKIM, and DMARC protect your domain in our authentication history.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
How many accounts were affected in the Yahoo breach?
All 3 billion Yahoo user accounts were compromised in the 2013 breach, making it the largest data breach in history. Yahoo initially reported 1 billion accounts in December 2016, but revised the number to 3 billion in October 2017.
What data was stolen in the Yahoo breach?
The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords (using the weak MD5 algorithm), and in some cases, encrypted or unencrypted security questions and answers.
How did the Yahoo breach affect the Verizon acquisition?
The disclosure of the breaches led Verizon to reduce its acquisition price for Yahoo's internet business by $350 million, from $4.83 billion to $4.48 billion. The deal closed in June 2017.