Yahoo's 3 Billion Account Breach: History's Largest Hack
How two massive data breaches exposed personal information from nearly half the world's internet users — and went undetected for years
Quick Facts
In August 2013, Yahoo suffered a catastrophic security breach that would eventually be confirmed as the largest data breach in history. Hackers gained access to approximately 3 billion user accounts—nearly half of all internet users at the time. The company would not publicly acknowledge this breach until December 2016, more than three years later.
But Yahoo's security failures didn't end there. Between November and December 2014, a second massive breach compromised roughly 500 million additional user accounts. This breach was disclosed publicly in September 2016, a full two years after it occurred.
## What Was Stolen
Both breaches exposed the same categories of sensitive personal information: names, email addresses, phone numbers, and dates of birth. Hackers also obtained hashed and encrypted passwords, along with security questions in both encrypted and unencrypted formats. For millions of Yahoo users, this meant their most basic identity information was in the hands of criminals or foreign actors.
## The Investigation and Attribution
The two breaches appear to have had different perpetrators. The 2014 breach was officially attributed by the U.S. Justice Department to Alexey Belan, a Russian national accused of orchestrating the attack. However, the much larger 2013 breach remains officially unresolved. When Yahoo CEO Marissa Mayer testified before Congress in 2017, she stated that the company could not determine who was responsible for the 2013 breach. Intelligence assessments suggest state-sponsored actors were likely involved in at least one of the incidents, though no definitive attribution has been made public.
