Security Major Historical

Yahoo Discloses 3 Billion Accounts Compromised — Largest Data Breach in History

Yahoo
Yahoo Discloses 3 Billion Accounts Compromised — Largest Data Breach in History
Image: Wikimedia Commons

What happened

Yahoo disclosed in 2016 that a 2013 breach had compromised 500 million accounts. A year later, the company revised the figure to 3 billion — every account Yahoo had ever created. MD5-hashed passwords and security questions were stolen, with the breach going undetected for three years.[1]

What went wrong

Yahoo used MD5 for password hashing — a function known to be cryptographically broken since 2004 — and stored unencrypted security question answers. The breach went undetected for three years partly due to inadequate monitoring and a failure to investigate anomalous access patterns.[1]

Lesson learned

Password hashing must use modern algorithms like bcrypt or Argon2. Security question answers should be treated as passwords and hashed accordingly. Breach detection requires active monitoring, not just perimeter defense.

Est. value burned ~$350M Verizon deal price cut
breachpasswordssecurityacquisition

Sources

  1. [1] Yahoo Yahoo Discloses 3 Billion Accounts Compromised — Largest Data Breach in History