What is Yahoo Data Breach?

Yahoo holds the record for the largest data breach in history — all 3 billion user accounts were compromised. The breach wasn't disclosed for three years, and Yahoo was in the process of selling to Verizon when the full scope was revealed.

Timeline

• 2013: State-sponsored attackers breach Yahoo — all 3 billion accounts affected
• 2014: A separate breach compromises 500 million accounts
• September 2016: Yahoo discloses the 2014 breach (2 years late)
• December 2016: Yahoo discloses the 2013 breach, initially claiming 1 billion accounts
• October 2017: Yahoo revises the 2013 breach to all 3 billion accounts

What Was Exposed

• Names, email addresses, phone numbers
• Dates of birth
• Hashed passwords (MD5 — a weak algorithm)
• Security questions and answers (some unencrypted)
• Forged authentication cookies (allowing access without passwords)

Impact

• Verizon reduced its acquisition price by $350 million (from $4.83B to $4.48B)
• Yahoo's CISO resigned
• The breach exposed the danger of security questions as authentication (many people reuse answers)
• Millions of credentials were sold on dark web marketplaces
• Credential stuffing attacks skyrocketed — hackers used Yahoo passwords to break into other accounts

Lessons

1. Don't reuse passwords — the Yahoo breach fueled attacks on millions of other sites
2. Security questions are not secure — treat them as secondary passwords (use random answers stored in a password manager)
3. Companies hide breaches — Yahoo sat on the information for years
4. MD5 is broken — any company still using it for password hashing is negligent