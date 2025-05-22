Yahoo's infamous 2013 and 2014 data breaches reign as the largest ever in internet history. Approximately 3 billion records were affected. There were two breaches spanning two years, which Yahoo did not deign to publicly disclose until 2016. The first in 2013 affected all 3 billion Yahoo accounts, including email addresses, personal information like birth dates and phone numbers, and more. It was later determined that nothing sensitive (like passwords and payment information) was stolen unencrypted, but some of the passwords were stored in the more vulnerable MD5 hashed format.

Advertisement

The second breach in 2014 affected 500 million accounts. Ironically, Yahoo disclosed this breach first in September 2016, then much more concerning the 2013 breach in December. Even before the company acknowledged the breach, there were reports of account credentials being sold on the dark web as far back as August 2016. At first, experts believed the hackers were foreign state-sponsored, but it was later determined to be three Russians and a Canadian. The hackers may have directly accessed about 32 million accounts, but it's difficult to know just how damaging this attack was to Yahoo users. Only one suspect — Karim Baratov — was arrested and charged.

Yahoo was in the process of selling properties to Verizon, so there's a chance it concealed its knowledge of the hack to make sure the deal went through; The agreed-upon price dropped when the hack was disclosed. After a long class action legal battle, Yahoo settled with users for $118 million. It's because of large breaches such as these that we recommend using a website like "Have I Been Pwned?" to check if your data was compromised.

Advertisement