Skip to main content

Confirmed: A hacker accessed records of more than 500 million Yahoo accounts

yahoo 500 million accounts hacked on tablet
Following reports Thursday morning of a massive Yahoo security breach, the embattled internet giant confirmed the worst this afternoon: personal records associated with hundreds of millions of accounts had been compromised in one of the worst cybersecurity breaches this year. According to a statement on a Yahoo FAQ webpage, a “state-sponsored actor” scraped the names, email addresses, telephone numbers, dates of birth, and passwords associated with more than 500 million Yahoo accounts as recently as 2014.

Yahoo said there is no evidence the responsible party still had access to its network or internal services. Furthermore, it said not all accounts were compromised, and that some details, such as bank account numbers and credit card data, do not appear to have been targeted. But the company said that out of an abundance of caution, it had taken steps to inform affected users of the breach and invalidated unencrypted passwords and security questions. It also urged account holders who had not changed their passwords since 2014 to do so, and encouraged all Yahoo users to change their security questions and answers and review their accounts for “suspicious activity.”

Related Videos

Yahoo said that it was working with law enforcement and that an investigation of the breach was ongoing.

The Wall Street Journal, citing an unnamed source within the company, reported that Yahoo’s databases contained well north of one billion user accounts, and that passwords were protected with an encryption scheme — MD5 — that would have required the latest password-breaking techniques to compromise. In an FAQ published Thursday afternoon, Yahoo said that its hashing method, or one-way mathematical function responsible for obfuscating data, was chosen for its proven robustness against “password cracking” and reliability. “[It’s] a … mechanism that incorporates security features … including … multiple rounds of computation,” Yahoo said.

Rumors of massive security breach emerged as early as August when a hacker, identified by the username Peace, offered to sell 200 million Yahoo usernames and passwords for $1,900 in online forums. The suspected cybercriminal is widely believed to have engineered the sale of stolen data from high-profile networks like LinkedIn and Myspace — reportedly to the collective tune of between $50,000 and $60,000 — and has been implicated in hacks of European social networking site VK, Fling, Dropbox, Tumblr,, Twitter, and Facebook.

At the time, a Yahoo representative said the company was aware of the incident and was “working to determine the facts.”

It is not the first time Yahoo suffered a large-scale security breach. In 2012, a group of unscrupulous programmers known as D33D Company managed to download 453,000 unencrypted usernames and passwords belonging to Yahoo Voices, a self-publishing service. Following the infiltration, Yahoo fixed the vulnerability that led to the breach, changed affected users’ passwords and dispatched notifications to companies with accounts that might have been compromised.

As of late, Yahoo has made strides in the area of security. Last year, as part of a separate effort to beef up the network’s broader security, the company deployed a service that automatically detects and notifies users when it suspects their account may have been targeted by a state-sponsored actor. It encouraged affected users to turn on Account Key, Yahoo’s passcode-free login service, activate two-step verification, to choose a strong, unique password. and to review recent activity in account settings.

Yahoo said that before Thursday’s breach, roughly 10,000 users had received an alert via the service.

It is unclear how Thursday’s disclosure will affect the $4.83-billion sale of Yahoo’s core assets to internet service provider and budding content mogul Verizon. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” a Verizon spokesperson said on Thursday.

As of publication, shares of Yahoo had fallen 0.3 percent to $44.02, while shares of Verizon had climbed one percent to $52.39.

The breach is yet another blemish on Yahoo President and CEO Marissa Mayer, who has struggled to turn the beleaguered Silicon Valley company around since its height in early 2000. Yahoo’s web properties, despite attracting more than 200 million U.S. monthly visitors in the past year, reported an 11 percent year-over-year decline in revenue during the company’s most recent earnings call. And Yahoo laid off 1,000 employees, or about 10 percent of its workforce, in the first quarter of 2016.

Analysts blame a failure to capitalize on mobile — and ballooning investments. In the first quarter of 2016, Yahoo made $250 million in revenue from smartphone and tablet users; Facebook, in contrast, made $4.5 billion in the fourth quarter of 2015.  The company’s capital expenditures, driven by substantial investments such as streaming licenses for National Football League broadcasts and the purchase of shopping site Polyvore, climbed an average of 21 percent in 2015.

But Yahoo’s advertising business remains one of the web’s largest. This year, the company is expected to generate $2.83 billion in profit on a 1.5 percent share of the online market. Yahoo Japan, an Asian culture web portal that is the product of a joint venture between Yahoo and Japanese internet company SoftBank Group, has been appraised at nearly $9 billion. Yahoo’s other ventures, which include online publications like Yahoo Tech and Yahoo Finance, are worth an estimated $5 billion to $8 billion.

Editors' Recommendations

What is Amazon Music: everything you need to know
Amazon Music

It's a jungle of music streaming platforms out there, so it stands to reason that Amazon would have one among its massive kingdom of services. And while Amazon Music might not be top of mind among the Spotifys and Apple Musics of the world, you might be surprised by its 100-million-song library, high-resolution and spatial audio offerings, podcast library, Alexa voice control, and a pretty amiable user interface that makes finding music pretty easy.

Amazon Music's subscriptions range from free to its premium Music Unlimited tier, which can be added for $9 per month on top of a subscription to Amazon Prime. But they all come with some quirks and features. We're going to break them all down for you to help you choose which, if any, Amazon Music plan is right for you.

Read more
GPT-4: how to use, new features, availability, and more
A laptop opened to the ChatGPT website.

ChatGPT-4 has officially been announced, confirming the longtime rumors around its improvements to the already incredibly impressive language skills of OpenAI's ChatGPT.

OpenAI calls it the company's "most advanced system, producing safer and more useful responses." Here's everything we know about it so far.

Read more
How Microsoft 365 Copilot unleashes ChatGPT from its restraints
Copilot in Microsoft Word generating results.

Thanks to ChatGPT, natural language AI has taken the world by storm. But so far, it's felt boxed in. With these chatbots, everything happens in one window, with one search bar to type into.

We've always known these large language models could do far more, though, and it was only a matter of time until that potential was unlocked. Microsoft has just announced Copilot, its own integration of ChatGPT into all its Microsoft 365 apps, including Word, PowerPoint, Outlook, Teams, and more. And finally, we're seeing the way generative AI is going to be used more commonly in the future -- and it's not necessarily as a straightforward chatbot.
Bringing natural language into apps

Read more