Security Major Historical

Yahoo Discloses 3 Billion Accounts Compromised — Largest Data Breach in History

Yahoo
Yahoo Discloses 3 Billion Accounts Compromised — Largest Data Breach in History
Yahoo logo on the exterior of its Sunnyvale headquarters building, the company that suffered history's largest data breach.Image: Yahoo Inc. — Public domain (PD-textlogo) via Wikimedia Commons · Public domain

What happened

Yahoo disclosed in 2016 that a 2013 breach had compromised 500 million accounts. A year later, the company revised the figure to 3 billion — every account Yahoo had ever created. MD5-hashed passwords and security questions were stolen, with the breach going undetected for three years.[1]

Yahoo disclosed in 2017 that every one of its 3 billion user accounts had been compromised in a 2013 breach — the largest in history.Image: Bad.Technology archive
Yahoo logo and sign on company building
Image: Bad.Technology archive

What went wrong

Yahoo used MD5 for password hashing — a function known to be cryptographically broken since 2004 — and stored unencrypted security question answers. The breach went undetected for three years partly due to inadequate monitoring and a failure to investigate anomalous access patterns.[1]

Lesson learned

Password hashing must use modern algorithms like bcrypt or Argon2. Security question answers should be treated as passwords and hashed accordingly. Breach detection requires active monitoring, not just perimeter defense.

Est. value burned ~$350M Verizon deal price cut
breachpasswordssecurityacquisitionUSglobal

Sources

  1. [1]
    Yahoo Wikipedia
    Yahoo Discloses 3 Billion Accounts Compromised — Largest Data Breach in History Wayback Machine snapshot

External links can go dark — pages move, paywalls appear, domains expire. Every source above includes a Wayback Machine snapshot link as a fallback. All citations are best-effort research; if a source contradicts our summary, the primary source takes precedence.

More in Security