How two massive data breaches exposed personal information from nearly half the world's internet users — and went undetected for years
In August 2013, Yahoo suffered a catastrophic security breach that would eventually be confirmed as the largest data breach in history. Hackers gained access to approximately 3 billion user accounts—nearly half of all internet users at the time. The company would not publicly acknowledge this breach until December 2016, more than three years later.
But Yahoo's security failures didn't end there. Between November and December 2014, a second massive breach compromised roughly 500 million additional user accounts. This breach was disclosed publicly in September 2016, a full two years after it occurred.
## What Was Stolen
Erster Hackerangriff auf Yahoo
Hacker verschaffen sich erstmals Zugang zu den Yahoo-Systemen und beginnen mit der Kompromittierung von Nutzerkonten.
Zweiter massiver Sicherheitsvorfall
Ein weiterer Angriff betrifft über 500 Millionen Konten. Die Hacker operieren weiterhin unentdeckt.
Beginn der aktiven Datenausbeutung
Die Hacker beginnen systematisch, die gestohlenen Daten für kriminelle Zwecke zu nutzen, durchsuchen E-Mail-Konten nach Geschenkkarten und Gutscheincodes.
Ende der dokumentierten Aktivitäten
Bis zu diesem Zeitpunkt sind aktive Ausnutzungsversuche der gestohlenen Daten dokumentiert.
Öffentliche Enthüllung des Datenlecks
Yahoo gibt bekannt, dass 3 Milliarden Nutzerkonten durch zwei separate Sicherheitsverletzungen kompromittiert wurden – praktisch alle Yahoo-Nutzer weltweit sind betroffen.
Both breaches exposed the same categories of sensitive personal information: names, email addresses, phone numbers, and dates of birth. Hackers also obtained hashed and encrypted passwords, along with security questions in both encrypted and unencrypted formats. For millions of Yahoo users, this meant their most basic identity information was in the hands of criminals or foreign actors.
## The Investigation and Attribution
The two breaches appear to have had different perpetrators. The 2014 breach was officially attributed by the U.S. Justice Department to Alexey Belan, a Russian national accused of orchestrating the attack. However, the much larger 2013 breach remains officially unresolved. When Yahoo CEO Marissa Mayer testified before Congress in 2017, she stated that the company could not determine who was responsible for the 2013 breach. Intelligence assessments suggest state-sponsored actors were likely involved in at least one of the incidents, though no definitive attribution has been made public.
## Delayed Disclosure and Consequences
Yahoo's three-year delay in disclosing the 2013 breach proved costly. The Securities and Exchange Commission fined the company $35 million for failing to promptly inform investors about the security incident. The breach also became a major factor in the company's acquisition by Verizon. Originally valued at $4.8 billion, Verizon reduced its offer by $300 million—citing the data breaches as the reason—bringing the final purchase price to $4.5 billion.
The financial damage extended beyond the acquisition. Forty-one class-action lawsuits were filed against Yahoo by affected users seeking compensation for the exposure of their personal data.
## A Pattern of Failures
What made the Yahoo breaches particularly significant wasn't just their scale, but what they revealed about corporate cybersecurity practices. The fact that the 2013 breach went undetected and undisclosed for over three years raised serious questions about Yahoo's security monitoring capabilities and its obligation to users. The subsequent 2014 breach, occurring while the 2013 breach remained hidden, suggested systemic vulnerabilities in the company's infrastructure.