Skip to Content
Silicon Valley

A History of Yahoo Hacks

The company’s huge billion-user security breach is the latest in a very long line.
December 15, 2016

Yahoo has admitted that a major security breach of its systems affected more than a billion users. It’s the worst in its history, and perhaps the biggest ever hack of user data in history. But it’s also just the latest in a long line of recent embarrassing security announcements for the company.

2012: Yahoo Loses Its Voices

When Yahoo acquired the online publishing network Associated Content in 2010 for $100 million, it also bought itself a headache. In July 2012, hackers published a cache of e-mail addresses and encrypted passwords obtained from the servers of Yahoo Voices—the new name for Associated Content. Details of 400,000 user accounts were compromised in the attack. The issue: weak security in the systems inherited by Yahoo that nobody had bothered to upgrade.

2013: Phishing for Mail

The year started badly in 2013 for Yahoo, when many Yahoo Mail users reported that their accounts had been hacked—and it didn’t get better. Despite plugging a series of security holes, the company found that users complained of a series of compromises through the first quarter of the year. Accounts were targeted via phishing attacks, in which users were encouraged to click on links within e-mails. When they did, their accounts were hijacked.

2014: Yahoo Mail (Again)

The start of 2014 wasn’t much better. Toward the end of January, Yahoo was forced to admit that it had identified an attempted hack of customer e-mail account details. Hackers has apparently used a list of usernames and passwords acquired from a third-party server to penetrate user accounts and acquire more names and e-mail addresses. Yahoo swiftly reset passwords to stop the attacks.

2016: The Half-Billion Hack

On September 22, 2016, Yahoo admitted that its servers had been hacked in 2014, with 500 million user accounts affected. Names, e-mail addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords were captured by the hackers. Yahoo said the attack was carried out by "state-sponsored" hackers. Security researchers InfoArmor disputed that claim.

2016: The Full Billion

On December 14, 2016, Yahoo announced its biggest ever security breach. The hack, widely believed to be the largest ever hack of user records, occurred in 2013 but was only brought to light following a recent investigation spurred by a law enforcement tip-off. The company says that the attack is "likely distinct" from the hack announced in September 2016.

According to the company’s chief information security officer, Bob Lord, hackers obtained "names, e-mail addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers." It’s thought that the hack was carried out using forged cookies to gain access to user accounts, without need for a password. The company has said that it believes it could be linked to a "state-sponsored actor."

2017: Verizon's Problem or Not?

In July 2016, Verizon announced that it was planning to acquire the beleaguered Yahoo for $4.8 billion. In October, Verizon's head of product Marni Walden said that the the telco would have to be “careful” in its approach to the deal, given that it has an “obligation to make sure we protect our shareholders and our investors.”

Over the latest news, Verizon spokesman Bob Varettoni said that the company “will review the impact of this new development before reaching any final conclusions” about the deal. But Bloomberg reports that it may be seeking to drive down the price of the acquisition, or even step away from it altogether.

That would seem fair enough. In light of Yahoo's recent track record, there may be yet more surprises in store.

(Read more: Yahoo, Bloomberg, "What Yahoo Got Right")


Keep Reading

Most Popular

How scientists traced a mysterious covid case back to six toilets

When wastewater surveillance turns into a hunt for a single infected individual, the ethics get tricky.

It’s time to retire the term “user”

The proliferation of AI means we need a new word.

The problem with plug-in hybrids? Their drivers.

Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.

Sam Altman says helpful agents are poised to become AI’s killer function

Open AI’s CEO says we won’t need new hardware or lots more training data to get there.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.