A History of Yahoo Hacks
Yahoo has admitted that a major security breach of its systems affected more than a billion users. It’s the worst in its history, and perhaps the biggest ever hack of user data in history. But it’s also just the latest in a long line of recent embarrassing security announcements for the company.
2012: Yahoo Loses Its Voices
When Yahoo acquired the online publishing network Associated Content in 2010 for $100 million, it also bought itself a headache. In July 2012, hackers published a cache of e-mail addresses and encrypted passwords obtained from the servers of Yahoo Voices—the new name for Associated Content. Details of 400,000 user accounts were compromised in the attack. The issue: weak security in the systems inherited by Yahoo that nobody had bothered to upgrade.

2013: Phishing for Mail
The year started badly in 2013 for Yahoo, when many Yahoo Mail users reported that their accounts had been hacked—and it didn’t get better. Despite plugging a series of security holes, the company found that users complained of a series of compromises through the first quarter of the year. Accounts were targeted via phishing attacks, in which users were encouraged to click on links within e-mails. When they did, their accounts were hijacked.
2014: Yahoo Mail (Again)
The start of 2014 wasn’t much better. Toward the end of January, Yahoo was forced to admit that it had identified an attempted hack of customer e-mail account details. Hackers has apparently used a list of usernames and passwords acquired from a third-party server to penetrate user accounts and acquire more names and e-mail addresses. Yahoo swiftly reset passwords to stop the attacks.
2016: The Half-Billion Hack
On September 22, 2016, Yahoo admitted that its servers had been hacked in 2014, with 500 million user accounts affected. Names, e-mail addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords were captured by the hackers. Yahoo said the attack was carried out by "state-sponsored" hackers. Security researchers InfoArmor disputed that claim.
2016: The Full Billion
On December 14, 2016, Yahoo announced its biggest ever security breach. The hack, widely believed to be the largest ever hack of user records, occurred in 2013 but was only brought to light following a recent investigation spurred by a law enforcement tip-off. The company says that the attack is "likely distinct" from the hack announced in September 2016.
According to the company’s chief information security officer, Bob Lord, hackers obtained "names, e-mail addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers." It’s thought that the hack was carried out using forged cookies to gain access to user accounts, without need for a password. The company has said that it believes it could be linked to a "state-sponsored actor."
2017: Verizon's Problem or Not?
In July 2016, Verizon announced that it was planning to acquire the beleaguered Yahoo for $4.8 billion. In October, Verizon's head of product Marni Walden said that the the telco would have to be “careful” in its approach to the deal, given that it has an “obligation to make sure we protect our shareholders and our investors.”
Over the latest news, Verizon spokesman Bob Varettoni said that the company “will review the impact of this new development before reaching any final conclusions” about the deal. But Bloomberg reports that it may be seeking to drive down the price of the acquisition, or even step away from it altogether.
That would seem fair enough. In light of Yahoo's recent track record, there may be yet more surprises in store.
(Read more: Yahoo, Bloomberg, "What Yahoo Got Right")
Keep Reading
Most Popular
This new data poisoning tool lets artists fight back against generative AI
The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models.
Rogue superintelligence and merging with machines: Inside the mind of OpenAI’s chief scientist
An exclusive conversation with Ilya Sutskever on his fears for the future of AI and why they’ve made him change the focus of his life’s work.
Data analytics reveal real business value
Sophisticated analytics tools mine insights from data, optimizing operational processes across the enterprise.
The Biggest Questions: What is death?
New neuroscience is challenging our understanding of the dying process—bringing opportunities for the living.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.