Read the original article here.

---

The Yahoo Data Breaches (2013 & 2014): A Case Study in Scale, Delay, and Consequences

The Yahoo data breaches of 2013 and 2014 stand as monumental failures in the history of technology and corporate responsibility. Affecting billions of user accounts and exposing sensitive personal information, these incidents were compounded by a significant delay in public disclosure, leading to severe financial, legal, and reputational damage for the company. They serve as a stark reminder of the critical importance of robust cybersecurity and transparent communication in the digital age.

Overview of the Breaches

In August 2013, Yahoo's servers were compromised in a breach that would eventually be revealed to have impacted all three billion user accounts. Less than a year later, in late 2014, another major intrusion occurred, affecting details from over 500 million user accounts.

Both breaches were characterized by the theft of highly sensitive personal data, including:

• Names
• Email addresses
• Phone numbers
• Birth dates
• Security questions (both encrypted and, critically, unencrypted)
• Hashed passwords (though the strength of the hashing varied)

Despite being aware of the 2014 intrusion by that same year, Yahoo did not publicly disclose either breach until September 2016, and the full extent of the 2013 breach wasn't revealed until October 2017. This delay became a central point of criticism and regulatory action.

These events triggered wide-ranging consequences, including criminal indictments against individuals linked to the 2014 breach, significant financial penalties, intense scrutiny from governments and regulators, complicated corporate acquisition plans, and widespread public distrust.

The 2013 Data Breach

The earliest of the two major breaches occurred on Yahoo servers in August 2013. When initially disclosed in December 2016, Yahoo reported that one billion accounts had been compromised. However, nearly a year later, in October 2017, Yahoo revised this estimate dramatically, confirming that all three billion user accounts existing at the time were affected.

The data stolen in this breach included the standard information listed above. Yahoo executives, including then-CEO Marissa Mayer, testified later in 2017 that the company was unable to definitively identify the perpetrators of the 2013 breach.

The 2014 Data Breach

The second significant breach took place in late 2014, specifically around November or December. In this incident, a hacker believed by U.S. authorities to be Russian national Alexey Belan, allegedly copied a backup of Yahoo's User Account Database from November 2014. This database contained information for over 500 million accounts.

The data included account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.

Crucially, this breach also involved a more sophisticated attack method: manipulated web cookies.

What are Web Cookies? Web cookies are small pieces of data stored on a user's computer by their web browser while they are browsing a website. They are designed to hold a modest amount of data specific to a particular client and website and can be accessed either by the web server or the client computer. Cookies are commonly used to remember stateful information (such as items in a shopping cart) or to record the user's browsing activity (including clicking particular buttons, logging in, or reading pages).

What is a Cookie-Based Attack? A cookie-based attack exploits vulnerabilities related to how websites use cookies for authentication. In a "forged cookie" or "cookie stuffing" attack (as Yahoo described their situation in regulatory filings), attackers can potentially create valid authentication cookies for users without needing their password. This grants the attacker access to the user's account as if they had successfully logged in normally. This type of attack is particularly insidious because it bypasses the need to crack passwords, allowing direct access to account data and potentially the account contents. Yahoo later disclosed that 32 million accounts were accessed via this method between 2015 and 2016.

The hackers leveraged the stolen data and cookie-based access for various illicit activities from late 2014 through at least November 2016:

• Searching emails for valuable information like gift voucher codes.
• Deliberately targeting the accounts of specific individuals deemed "of interest."
• Attempting to improve the search ranking of businesses they had a stake in.
• Using Yahoo data (like security questions) to try and compromise accounts on other platforms (e.g., Gmail).

To facilitate breaching accounts on other platforms, the hackers allegedly enlisted the help of Canadian hacker Karim Baratov.

Technical Aspects: Passwords and Security Questions

The breaches highlighted critical vulnerabilities in how user authentication data was stored.

What is Hashing? Hashing is a cryptographic process that transforms data (like a password) into a fixed-size string of characters called a hash or hash value. A good hashing algorithm is a one-way function – meaning it's easy to compute the hash from the data, but computationally infeasible to reverse the process (find the original data from the hash). Websites store the hash of your password, not the password itself. When you log in, they hash the password you entered and compare it to the stored hash. If they match, you're authenticated. This protects passwords in case the database is stolen – attackers only get the hashes, not the original passwords.

The Yahoo breaches involved both hashed and potentially unhashed passwords. While the majority of passwords reportedly used the more secure bcrypt hashing algorithm (considered difficult to crack), some may have used older, weaker algorithms like MD5, which can be "broken" or reversed relatively quickly with modern computing power and pre-computed tables (rainbow tables). The presence of weaker hashing methods significantly increased the risk of passwords being compromised.

The inclusion of unencrypted security questions and answers was another critical failure. Security questions are often based on easily guessable information (mother's maiden name, first pet's name, etc.) or data that might be discoverable online. Storing them unencrypted meant that anyone who obtained the database backup had immediate access to these answers, which could then be used to reset passwords or gain access to other accounts, not just on Yahoo.

Internal Security Culture at Yahoo

Understanding the context of the breaches requires looking at Yahoo's internal approach to security during this period. In early 2014, after being identified as a potential target for state-sponsored hackers, Yahoo hired Alex Stamos as its Chief Information Security Officer (CISO).

What is a CISO (Chief Information Security Officer)? A CISO is a senior-level executive responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. They typically lead the cybersecurity team and advise leadership on security risks and investments.

While Stamos' hiring was seen as a positive step, reports later emerged that CEO Marissa Mayer had allegedly denied Stamos and his team sufficient funding to implement the security measures they recommended. This reported underfunding and lack of prioritization of security resources may have contributed to the vulnerabilities that allowed the breaches to occur or go undiscovered for so long. Alex Stamos departed the company by 2015. A lack of investment in cybersecurity, despite known risks and expert recommendations, is a common theme in major tech failures involving data breaches.

The Delayed Public Disclosure

One of the most criticized aspects of the Yahoo breaches was the significant delay between discovery and public announcement.

• Late 2014: The 2014 breach affecting over 500 million accounts occurred, and Yahoo later admitted in SEC filings that they were aware of an intrusion into their network by this time.
• June 2016: Rumors surfaced when data allegedly from 200 million Yahoo accounts appeared for sale on a darknet market. Yahoo stated they were investigating but did not mandate password resets for users at this time.
• September 22, 2016: Yahoo officially announced the 2014 breach, affecting over 500 million accounts. They claimed the attack was state-sponsored and that attackers were no longer in the system. They took steps like invalidating unencrypted security questions and asking users to change passwords.
• November 2016: In an SEC filing, Yahoo acknowledged they had known about the 2014 intrusion since that year, but claimed they hadn't understood the full scope until investigating a separate issue around July 2016 (likely the darknet market rumors).
• December 2016: Yahoo publicly disclosed the August 2013 breach, initially stating it affected one billion accounts.
• October 2017: Yahoo revised the 2013 breach estimate, confirming all three billion accounts were compromised.

This lag of two years from the 2014 breach occurrence (and internal knowledge) to public disclosure, and over three years for the 2013 breach, drew intense criticism. Critics argued that Yahoo failed its users by not allowing them to take protective measures sooner, such as changing passwords or monitoring for fraudulent activity. This delayed disclosure also raised questions about potential violations of securities laws regarding timely reporting of material information that could affect the company's value.

Prosecution and Accusations

Following investigations, the U.S. Justice Department took action regarding the 2014 breach.

• March 15, 2017: The FBI indicted four individuals in connection with the 2014 breach. This group included:
  • Alexey Belan: A notorious Russian hacker who was already on the FBI's Ten Most Wanted Fugitives list. He was accused of copying the database backup.
  • Dmitry Dokuchaev and Igor Sechin: Two officers allegedly working for Russia's Federal Security Service (FSB). The FBI accused them of directing and paying Belan and other hackers to conduct the attack and other activities. The involvement of alleged state intelligence officers was a significant development.
  • Karim Baratov: A Canadian hacker allegedly paid by Dokuchaev and Sechin to break into about 80 non-Yahoo email accounts of specific targets identified using data from the Yahoo breaches.

Russian officials denied any involvement. Of the four indicted, only Karim Baratov was apprehended. He was extradited to the United States in August 2017, pled guilty to charges related to hacking, and was sentenced in May 2018 to five years in prison and ordered to pay restitution. His case highlighted the international nature of cybercrime and the role of individuals working for or with state intelligence services.

Fallout and Consequences

The Yahoo data breaches had wide-ranging and costly consequences for the company, its users, and its acquisition by Verizon.

Impact on Verizon Acquisition

Prior to the public disclosure of the breaches, Verizon Communications was in the process of acquiring a significant portion of Yahoo's business for $4.8 billion. Yahoo reportedly informed Verizon of the 2014 breach only two days before the public announcement in September 2016. The revelation of the massive data breaches significantly complicated the deal. While Verizon CEO Lowell McAdam publicly downplayed the shock, the scale of the breaches and Yahoo's handling of them were serious concerns. Ultimately, the deal went through in June 2017, but at a reduced price of $4.48 billion – a $350 million reduction from the original offer. As part of the revised terms, Verizon and the remaining Yahoo entity (renamed Altaba) agreed to jointly share the ongoing costs related to government investigations and lawsuits stemming from the breaches.

Regulatory Scrutiny and Fines

Both U.S. and international regulators expressed serious concerns about the breaches and Yahoo's delayed disclosure.

• United States: Members of the U.S. Congress demanded answers regarding the timeline and reasons for the delay, calling it "unacceptable." The U.S. Securities and Exchange Commission (SEC) investigated whether Yahoo and its executives met their obligations to disclose material information to investors. In April 2018, the SEC fined Altaba (the entity holding Yahoo's remaining assets) $35 million for failing to disclose the 2014 breach in a timely manner, noting that the company's prior public filings had failed to disclose its knowledge of the intrusion.
• International: European regulators, particularly the Article 29 Data Protection Working Party and Ireland's Data Protection Commissioner (due to Yahoo's European headquarters being in Dublin), voiced concerns and investigated. Ireland's DPC found that Yahoo's oversight of its data processing and security measures fell short of EU data protection law requirements, although no fine was issued by Ireland. Germany's Federal Office for Information Security publicly criticized Yahoo and advised German users to switch providers.

Class Action Lawsuits

The breaches triggered numerous class-action lawsuits filed by affected users seeking compensation for damages, such as identity theft risks, financial losses, and the loss of value of their personal information. Multiple lawsuits in the U.S. were consolidated into a single class action. After an initial settlement offer was rejected by a judge, Yahoo (with Verizon and Altaba contributing) ultimately agreed in April 2019 to a settlement valued at $117.5 million. The settlement provided affected users with options for cash payouts (depending on the number of claims) and free credit monitoring services. This demonstrated the significant cost incurred by the company as a direct result of the breaches.

Internal Accountability

An internal review by Yahoo found that CEO Marissa Mayer and other key executives were aware of the intrusions but failed to adequately inform the full company or take sufficient steps. While Mayer was not fired, her $12 million equity compensation and bonus for 2016 and 2017 were revoked. The company's General Counsel, Ronald S. Bell, resigned by March 2017 as a result of the review's findings.

Why the Yahoo Breaches Are Infamous

The Yahoo data breaches serve as a critical case study in the history of tech failures for several key reasons:

1. Unprecedented Scale: At three billion accounts, the 2013 breach remains the largest data breach ever reported. The sheer volume of compromised data was staggering.
2. Sensitive Data Exposed: The loss of names, emails, phone numbers, birth dates, and especially security questions (many unencrypted) put billions of individuals at risk of identity theft, phishing attacks, and account takeover on other platforms.
3. Delayed Disclosure: The multi-year delay between internal knowledge and public announcement eroded trust, prevented users from protecting themselves, and led to significant regulatory penalties and lawsuits. This failure in transparency is a major reason for its infamous status.
4. Alleged State Involvement: The indictment of individuals linked to Russian intelligence services added a geopolitical dimension and underscored the increasing threat of state-sponsored cyberattacks targeting private companies for various motives.
5. Significant Consequences: The tangible impacts – a hundreds-of-millions-of-dollars reduction in acquisition price, hefty regulatory fines, massive class-action settlements, and damage to reputation – demonstrate the severe repercussions of inadequate security and poor incident response.
6. Security Culture Issues: Reports of underinvestment in security despite known risks highlight how internal corporate priorities can directly lead to catastrophic external failures.

The Yahoo breaches are more than just a technical incident; they are a comprehensive failure involving technology, corporate governance, risk management, and ethical responsibility, making them a textbook example of what can go wrong when cybersecurity is not treated as a top priority.