Yahoo Data Breach


Due to systemic failures in its cyber security systems, between 2012 and 2016, Yahoo suffered a series of system hacks by organised crime groups. This page explains how the Yahoo data breaches happened. 

The 2014 Yahoo Data Breach

In 2018, the Information Commissioner’s Office fined Yahoo £250,000 over a hack that affected more than 515,000 UK email accounts.

The fine related to a 2014 Russian state-sponsored cyber-attack, which resulted in personal data being stolen from over 500 million Yahoo user accounts worldwide. Despite evidence that the firm knew about the hack soon after it happened, the data breach wasn’t reported until September 2016.

Due to poor data security practices at Yahoo, cybercriminals managed to steal data from millions of Yahoo customers. This included:

Around July 2016, the personal data of around 200 million Yahoo accounts were put up for sale on the dark web. 

Yahoo also reported that hackers likely used manufactured web cookies to falsify login credentials. This meant they could gain access to any account without a password.

In 2017, the FBI officially charged four men, including two that worked for Russia’s Federal Security Service (FSB) with the breach. 

The ICO's Investigation

Following the Yahoo data breach, the Information Commissioner’s Office (ICO) investigated the privacy violation. While people in many different countries were involved, the ICO investigation focused on UK accounts that were co-branded Sky and Yahoo, and which the London-based branch of Yahoo had responsibility for.

Following its inquiry, the ICO found that Yahoo had “failed to prevent” the hack. It condemned “inadequacies” at Yahoo. Inadequacies that had existed for some time without being “discovered or addressed”. The investigation also found that:

According to an ICO spokesperson: “The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

As a result, the ICO imposed a £250,000 fine on Yahoo. However, this represented less than 0.4% of Yahoo UK’s 2016 gross profit.

Were you affected by the Yahoo data protection failure?

If you had a Yahoo account between January 1, 2012 and December 31, 2016 you could have been affected by this data violation.

Yahoo also suffered a larger data breach in 2013

The 2013 Yahoo data breach was a separate from the 2014 incident. This hack was conducted by an “unauthorized third party”, and the data accessed was similar to that compromised in the 2014 breach. This violation involved three billion user accounts.    

$117.5 million Yahoo data breach settlement

In September 2019, Yahoo agreed to a $117.5 million settlement with the millions of users whose personal information was stolen in what was dubbed the “largest data breach in history”. The money was only available to people who lived in the US and Israel. 

Yahoo Data Breach Timeline

  • 2012-2016
    Yahoo suffered a series of system hacks by organised crime groups
  • July 2016
    Account names and passwords for about 200 million Yahoo! accounts were presented for sale on the darknet
  • September 2016
    Yahoo reported that a 2014 Russian state-sponsored cyber-attack resulted in personal data being stolen from over 500 million Yahoo user accounts worldwide
  • June 2017
    Yahoo sold itself to Verizon for $4.48 billion
  • October 2017
    Verizon said in a statement that, with the assistance of outside forensic experts, it had determined that all three billion Yahoo! users were affected by a 2013 data theft. Yahoo originally said had only 1 billion users had been involved.
  • June 2018
    The UK’s Information Commissioner’s Office (ICO) fined Yahoo £250,000 after investigating failures at the company
  • September 2019
    Yahoo emailed its users saying it was nearing a $117.5 million settlement. However, it was confirmed that the money would only be available to people in the US and Israel