Yahoo! data breaches: Difference between revisions

Content deleted Content added

Inline

Revision as of 05:12, 3 June 2024

In 2013 and 2014, the American web services company Yahoo was subjected to two of the largest data breaches on record. Although Yahoo was aware, neither breach was revealed publicly until September 2016.

The 2013 data breach occurred on Yahoo servers in August 2013 and affected all three billion user accounts. The 2014 breach affected over 500 million user accounts. Both breaches are considered the largest ever discovered and included names, email addresses, phone numbers, birth dates, and security questions—both encrypted and unencrypted. When Yahoo made the breaches public in 2016, they acknowledged being aware of the second intrusion since 2014.

These incidents led to the indictment of four individuals linked to the latter breach, including the Canadian hacker Karim Baratov who received a five-year prison sentence and also prompted widespread criticism of Yahoo for their delayed response. The fallout included a U.S. $117.5 million class-action lawsuit settlement, a $35 million fine from the U.S. Securities and Exchange Commission, scrutiny by the United States Congress, and complications for Verizon Communication's 2017 acquisition of Yahoo.

August 2013: breach

Marissa Mayer, who was CEO of Yahoo at the time of the breaches, at the World Economic Forum 2013

The first data breach occurred on Yahoo servers in August 2013^[1] and affected all three billion user accounts.^[2]^[3] Yahoo announced the breach on December 14, 2016.^[4] Marissa Mayer, who was CEO of Yahoo at the time of the breach, testified before Congress in 2017 that Yahoo had been unable to determine who perpetrated the 2013 breach.^[5]

Early 2014: security culture at Yahoo

A year after Yahoo was identified by the American whistleblower Edward Snowden as a frequent target for state-sponsored hackers in 2013, the company hired a dedicated chief information security officer, Alex Stamos. While Stamos' hiring was praised by technology experts as showing Yahoo's commitment towards better security, Yahoo CEO Marissa Mayer had reportedly denied Stamos and his security team sufficient funds to implement the security measures they recommended, and he departed the company by 2015.^[4]

Late 2014: breach

During November or December 2014 a hacker, believed by the U.S. Justice Department to be the Russian national Alexey Belan, copied a November 2014 backup of Yahoo's User Account Database, containing details of over 500 million accounts to a computer under his control.^[6] The User Account Database included data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers through manipulated web cookies.^[7]^[8]^[9] The majority of Yahoo's passwords used the bcrypt hashing algorithm, which is considered difficult to crack, with the rest using the older MD5 algorithm, which can be broken rather quickly.^[10]

From October 2014 to at least November 2016, Belan and at least two hackers connected to him accessed user account information and contents for various unlawful actions including searching emails for gift voucher codes, deliberately targeting the accounts of persons of interest, improving the search ranking of businesses they had an interest in, and using the Yahoo data to breach accounts on other platforms such as Gmail.^[6] As part of this process, the hackers enlisted Canadian hacker Karim Baratov to break into accounts on other platforms.^[11]^[12]

July 2016 to October 2017: public disclosures

In June 2016, it was reported that account names and passwords for about 200 million Yahoo accounts was presented for sale on the darknet market site TheRealDeal.^[13] Yahoo stated it was aware of the data and was evaluating it, cautioning users about the situation but did not reset account passwords at that time.^[13]

Yahoo officially reported the 2014 breach to the public on September 22, 2016. Yahoo's actions to deal with the breach included invalidating unencrypted security questions and answers and asking potentially affected users to change their passwords.^[14] Yahoo also claimed that there was no evidence that the attackers were still in the system and that the attack was state-sponsored.^[14] The Federal Bureau of Investigation (FBI) confirmed that it was investigating the matter.^[15] The Wall Street Journal reported that a security firm, which had access to a portion of Yahoo's database, believed that the attackers were criminal in nature rather than state sponsored, and that the database had been sold repeatedly.^[16]

In its November 2016 U.S. Securities and Exchange Commission (SEC) filing, Yahoo reported they had been aware of an intrusion into its network in 2014, but had not understood the extent of the breach until it began an investigation of a separate data breach incident around July 2016.^[17]^[18] Yahoo's previous SEC filing on September 9, prior to the breach announcement, had stated that it was not aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.^[19] The November filing noted that the company believed one of the data breaches had been conducted through a cookie-based attack that allowed hackers to authenticate as any other user without their password.^[17]^[20]^[21] (In an SEC regulatory filing in 2017, Yahoo reported that 32 million accounts were accessed through this cookie-based attack through 2015 and 2016.^[22])

In December 2016, Yahoo disclosed the 2013 breach, and that one billion user accounts had been compromised.^[23] Almost a year later, in October 2017 they revised that estimate and reported that all three billion Yahoo accounts had been compromised in the breach.^[23]

Yahoo's internal review of the situation found that Mayer and other key executives knew of the intrusions but failed to inform the company or take steps to prevent further breaches. The review led to the resignation of the company's General Counsel, Ronald S. Bell by March 2017, and Mayer's $12 million equity compensation and bonus for 2016 and 2017 was pulled.^[24]

Prosecution

Russian FSB agent Dmitry Dokuchaev who has been charged with the breach by the FBI

On March 15, 2017, the FBI charged four men with the 2014 breach, including two that were working for Russia's Federal Security Service (FSB). In its statement, the FBI said "The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI's point of contact in Moscow on cybercrime matters, is beyond the pale."^[25]

The four men accused include hacker Alexsey Belan who was on the FBI Ten Most Wanted Fugitives list, FSB agents Dmitry Dokuchaev and Igor Sechin who the FBI accused of paying Belan and other hackers to conduct the hack, and Canadian hacker Karim Baratov. The FBI claimed that Dokuchaev and Sushchin paid Karim Baratov to use data obtained by the Yahoo breaches to break into about 80 non-Yahoo accounts of specific targets.^[26] Russian officials have denied any involvement.^[27]^[28]

Baratov, the only man arrested, was extradited to the United States in August 2017.^[29] He pled guilty, admitting to hacking into at least 80 email accounts on behalf of Russian contacts. He was charged with nine counts of hacking, and in May 2018 sentenced to 5 years in prison and ordered to pay $2.25 million and restitution to his victims.^[30] His memoir, published in 2023, describes a party lifestyle funded by hacking into email accounts of thousands of people.^[31]

Reactions and criticism

Yahoo's delay in discovering and reporting these breaches, as well as implementing improved security features, has been roundly criticized at all levels.^[32]

Verizon Communications deal

Before the announcement of the breaches Verizon Communications had entered into negotiations and approval to purchase a portion of the Yahoo properties for $4.8 billion, with the deal set to close in March 2017.^[33] Yahoo only disclosed the 2014 breach to Verizon two days prior to the Yahoo's September announcement.^[15] Verizon CEO Lowell McAdam said he wasn't shocked by the hack, saying "we all live in an internet world, it's not a question of if you're going to get hacked but when you are going to get hacked".^[34] In February 2017, Verizon and Yahoo announced that the deal will still go forward, but dropping the sale price by $350 million, down to $4.48 billion.^[35] The deal officially closed at this price in June 2017, with Mayer stepping down as CEO following the closure.^[36] Verizon and Yahoo agreed to jointly share ongoing costs for the government investigation of the breaches under this new term.^[37] The Yahoo company, which still held those properties not purchased by Verizon, was renamed to Altaba in June 2017.^[38] As Altaba was the original company, it was Altaba that was subject to a later $35 million fine from the SEC rather than Verizon.^[39]

United States government

In a letter to Mayer, six U.S. Senators (Elizabeth Warren, Patrick Leahy, Al Franken, Richard Blumenthal, Ron Wyden and Ed Markey) demanded answers on when Yahoo discovered the last 2014 breach, and why it took so long to disclose it to the public, calling the time lag between the security breach and its disclosure "unacceptable".^[40]^[41]^[42] On September 26, 2016, senator Mark Warner asked the U.S. Securities and Exchange Commission (SEC) to investigate whether Yahoo and its senior executives fulfilled their obligations under federal securities laws to properly disclose the attack. In 2017, the SEC announced a $35 million fine against Altaba for failure to disclose the 2014 breach in a timely manner.^[43]^[44]

Class action lawsuits

In November 2016, it was reported that 23 lawsuits related to the late 2014 breach had been filed against Yahoo.^[18] In one lawsuit, filed in the U.S. District Court for the Southern District of California in San Diego, the plaintiffs contended that the hack caused an "intrusion into personal financial matters."^[45]

Five of these 23 cases were combined into a single suit in early December 2016.^[46]^[47] The case was later amended to include the updated breach information following Yahoo's announcement about the August 2013 breach.^[48] Before a trial could commence, Verizon and Altaba agreed to split the cost of a $50 million settlement in October 2018 with those in the class action (an estimated 200 million total users), along with providing two years of free credit monitoring.^[49] The judge rejected the settlement offer, questioning the lack of transparency of the details of the settlements, as well as high costs recouped by the lawyers through the settlement.^[50] Yahoo agreed to settle for $117.5 million in April 2019, again offering affected users credit monitoring and a cash payout that depended on the number of respondents in the class.^[51]

International

Foreign governments have also shown concerns on the several data breaches. In October 2016 the European privacy regulators Article 29 Data Protection Working Party outlined concerns about the 2014 data breach as well as allegations that the company built a system that scanned customers' incoming emails at the request of U.S. intelligence services in a letter to Yahoo.^[52]^[53] They asked Yahoo to communicate all aspects of the data breach to the European Union authorities, to notify the affected users of the "adverse effects" and to cooperate with all "upcoming national data protection authorities' enquiries and/or investigations".^[54] Ireland's Data Protection Commissioner, (the lead European regulator on privacy issues for Yahoo because Yahoo's European headquarters are in Dublin), investigated the breach and issued a statement that "Yahoo’s oversight of the data processing operations performed by its data processor did not meet the standard required by EU data protection law" and that "Yahoo did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law", although no fine was issued.^[55] Germany's Federal Office for Information Security criticized Yahoo following the December 2016 announcement, stating "security is not a foreign concept", and warned government and other German users to seek email and internet solutions from companies with better security approaches.^[56]

References

^ Goel, Vindu (December 14, 2016). "Yahoo Says 1 Billion User Accounts Were Hacked". The New York Times. Archived from the original on December 14, 2016. Retrieved December 14, 2016.
^ McMillan, Robert; Knutson, Ryan (October 3, 2017). "Yahoo Triples Estimate of Breached Accounts to 3". The Wall Street Journal. Archived from the original on January 26, 2021. Retrieved October 3, 2017.
^ Haselton, Todd (October 3, 2017). "Yahoo just said every single account was affected by 2013 attack — 3 billion in all". CNBC. Archived from the original on October 3, 2017. Retrieved October 3, 2017.
^ ^a ^b Trautman, Lawrence J.; Ormerod, Peter (February 9, 2017). "Corporate Directors' and Officers' Cybersecurity Standard of Care: The Yahoo Data Breach". American University Law Review. 66: 1231. doi:10.2139/ssrn.2883607. Retrieved May 1, 2024.
^ Shabad, Rebecca (November 8, 2017). "Yahoo hack, Equifax data breach hearing: Richard Smith and Marissa Mayer will testify to Senate Commerce Committee". www.cbsnews.com. Retrieved March 26, 2024.
^ ^a ^b U.S. Department of Justice. "Indictment". Department of Justice. Retrieved March 26, 2024.
^ Newcomb, Alyssa (September 22, 2016). "Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts". NBC News. Archived from the original on September 22, 2016. Retrieved September 22, 2016.
^ "Account Security Issue FAQs". Yahoo!. Archived from the original on September 22, 2016. Retrieved September 23, 2016.
^ Shankar, Nithya, and Zareef Mohammed. “Surviving Data Breaches: A Multiple Case Study Analysis.” Journal of Comparative International Management 23.1 (2020): 35–54. Web.
^ Goodin, Dan (September 22, 2016). "Yahoo says half a billion accounts breached by nation-sponsored hackers". Ars Technica. Archived from the original on December 15, 2016. Retrieved December 15, 2016.
^ Perlroth, Nicole; Goel, Vindu (September 28, 2016). "Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say". The New York Times. Archived from the original on December 15, 2016. Retrieved December 15, 2016.
^ Shankar, Nithya; Mohammed, Zareef (2020). "Surviving Data Breaches: A Multiple Case Study Analysis". Journal of Comparative International Management. 23: 35–54. doi:10.7202/1071508ar.
^ ^a ^b Cox, Joseph (August 1, 2016). "Yahoo 'Aware' Hacker Is Advertising 200 Million Supposed Accounts on Dark Web". Vice. Archived from the original on December 15, 2016. Retrieved December 16, 2016.
^ ^a ^b "An Important Message to Yahoo Users on Security". www.businesswire.com. September 22, 2016. Retrieved March 26, 2024.
^ ^a ^b "Yahoo 'state' hackers stole data from 500 million users". BBC News. September 23, 2016. Archived from the original on September 23, 2016. Retrieved September 23, 2016.
^ McMillan, Robert. "Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says". WSJ. Retrieved May 27, 2024.
^ ^a ^b "Yahoo discovered hack leading to major data breach two years before it was disclosed". The Washington Post. Archived from the original on November 11, 2016. Retrieved November 10, 2016.
^ ^a ^b Goel, Vindu (November 10, 2016). "Yahoo Employees Knew in 2014 About State-Sponsored Hacker Attack". The New York Times. Archived from the original on November 10, 2016. Retrieved November 10, 2016.
^ McMillan, Robert. "Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says". WSJ. The Wall Street Journal. Archived from the original on October 15, 2016. Retrieved October 15, 2016.
^ "Yahoo knew of 'state-backed' hack in 2014". BBC News. November 10, 2016. Archived from the original on November 10, 2016. Retrieved November 10, 2016.
^ Vaas, Lisa (November 11, 2016). "Yahoo staff knew they were breached two years ago". Naked Security. Archived from the original on December 17, 2016. Retrieved December 12, 2016.
^ Lawler, Richard (March 1, 2017). "Yahoo hackers accessed 32 million accounts with forged cookies". Engadget. Archived from the original on March 2, 2017. Retrieved March 1, 2017.
^ ^a ^b Rushe, Dominic (October 3, 2017). "Yahoo says all of its 3bn accounts were affected by 2013 hacking". The Guardian. ISSN 0261-3077. Retrieved March 26, 2024.
^ Goel, Vindu (March 1, 2017). "Yahoo's Top Lawyer Resigns and C.E.O. Marissa Mayer Loses Bonus in Wake of Hack". The New York Times. Archived from the original on March 16, 2017. Retrieved March 15, 2017.
^ Goel, Vindu (March 15, 2017). "Russian Agents Were Behind Yahoo Breach, U.S. Says". The New York Times. Archived from the original on March 16, 2017. Retrieved March 15, 2017.
^ Raymond, Nate (November 24, 2017). "Canadian charged in Yahoo hacking case to plead guilty in U.S." Reuters. Archived from the original on November 26, 2017. Retrieved November 27, 2017.
^ Braga, Matthew (March 17, 2017). "Here's how the FBI says Russian hackers stole Yahoo account secrets". CBC News. Retrieved May 1, 2024. Using a variety of techniques to bypass security measures, hackers sought access to myriad email accounts
^ Eckel, Mike; Schreck, Carl (March 18, 2017). "Undercover FSB Officer Indicted By U.S. Worked For Moscow Investment Bank". Radio Free Europe/Radio Liberty. Retrieved May 1, 2024.
^ Bennett, Kelly. "Karim Baratov, alleged Yahoo hacker, pleads not guilty in U.S. court".
^ Moon, Mariella (May 30, 2018). "Attacker involved in 2014 Yahoo hack gets five years in prison". Engadget. Archived from the original on May 31, 2018. Retrieved May 30, 2018.
^ Baratov, Karim (2023). Disconnected: A Memoir of the Yahoo Hacker. Retrieved March 26, 2024.
^ "Why Yahoo's Security Problems Are a Story of Too Little, Too Late". Reuters. December 19, 2016. Archived from the original on December 19, 2016. Retrieved December 19, 2016.
^ Larson, Selena (September 23, 2016). "Yahoo facing lawsuits in the wake of massive data breach". CNN. Archived from the original on September 25, 2016. Retrieved September 25, 2016.
^ Knutson, Ryan; Wells, Georgia (October 10, 2016). "Verizon CEO Says Evaluating Whether Yahoo Hack Had 'Material Impact'". The Wall Street Journal. ProQuest 1827509919. Archived from the original on February 22, 2017. Retrieved March 23, 2023.
^ "Yahoo Data Breach: What Actually Happened?". BPB Online. Archived from the original on April 28, 2021. Retrieved April 28, 2021.
^ "Verizon closes Yahoo deal, Mayer steps down". Reuters. June 14, 2017. Archived from the original on June 13, 2017. Retrieved June 14, 2017.
^ "Verizon revises deal with Yahoo to $4.48 billion". Reuters. February 21, 2017. Archived from the original on February 22, 2017. Retrieved February 21, 2017 – via CNBC.
^ La Monica, Paul (June 19, 2017). "So long, Yahoo. Hello ... Altaba?". CNN. Archived from the original on April 13, 2018. Retrieved April 24, 2018.
^ Kastrenakes, Jacob (January 10, 2017). "Yahoo isn't really going away (at least, not yet)". The Verge. Retrieved April 2, 2024.
^ "Letter to Marissa Mayer signed by 6 senators" (PDF). leahy.senate.gov. Archived (PDF) from the original on October 3, 2016. Retrieved September 30, 2016.
^ Fisher, Dennis (September 28, 2016). "Senators Demand Answers of Mayer on Yahoo Data Breach". OnTheWire. Archived from the original on October 2, 2016. Retrieved September 30, 2016.
^ Kuchler, Hannah (September 27, 2016). "US senators demand answers from Yahoo". The Financial Times. Archived from the original on March 23, 2023. Retrieved September 30, 2016.
^ Kastrenakes, Jacob (April 24, 2018). "SEC issues $35 million fine over Yahoo failing to disclose data breach". The Verge. Archived from the original on April 24, 2018. Retrieved April 24, 2018.
^ Merle, Renae (October 23, 2021). "Yahoo fined $35 million for failing to disclose cyber breach". Washington Post. ISSN 0190-8286. Retrieved April 2, 2024.
^ Larson, Selena (September 23, 2016). "Yahoo facing lawsuits in the wake of massive data breach". CNNMoney. Retrieved May 27, 2024.
^ Baron, Ethan (December 8, 2016). "Yahoo data-breach class-action lawsuits joined together in San Jose federal court". Silicon Beat. Archived from the original on December 11, 2016. Retrieved December 15, 2016.
^ Stempel, Jonathan (August 31, 2017). "Yahoo must face litigation by data breach victims: U.S. judge". Reuters. Archived from the original on September 1, 2017. Retrieved August 31, 2017.
^ Stempel, Jonathan (March 12, 2018). "Data breach victims can sue Yahoo in the United States: judge". Reuters. Archived from the original on March 12, 2018. Retrieved March 12, 2018.
^ Liedtke, Michael (October 23, 2018). "Yahoo to pay $50M, other costs for massive security breach". ABC News. Archived from the original on October 23, 2018. Retrieved October 23, 2018.
^ Fingas, Jon (January 29, 2019). "Judge rejects Yahoo's proposed settlement over data breaches". Engadget. Archived from the original on January 29, 2019. Retrieved January 29, 2019.
^ Brodkin, Jon (April 10, 2019). "Yahoo tries to settle 3-billion-account data breach with $118 million payout". Ars Technica. Archived from the original on October 1, 2019. Retrieved October 1, 2019.
^ "ARTICLE 29 Data Protection Working Party Letter To Yahoo!" (PDF). Archived (PDF) from the original on November 4, 2016. Retrieved November 2, 2016.
^ Drozdiak, Natalia (October 28, 2016). "EU Issues Data-Protection Warning to WhatsApp, Yahoo". The Wall Street Journal. ProQuest 1833042031. Archived from the original on January 4, 2017. Retrieved March 23, 2023.
^ Fioretti, Julia (October 28, 2016). "EU data protection watchdogs warn WhatsApp, Yahoo on privacy". Reuters. Archived from the original on October 29, 2016. Retrieved October 29, 2016.
^ "Data Protection Commission". Data Protection Commission. Retrieved May 27, 2024.
^ "Germany Slams Yahoo Over Cybersecurity Practices". Reuters. December 15, 2016. Archived from the original on December 16, 2016. Retrieved December 15, 2016.

External links

Yahoo's Account Security Issue FAQs

[nytimes_dec2016-1] Goel, Vindu (December 14, 2016). "Yahoo Says 1 Billion User Accounts Were Hacked". The New York Times. Archived from the original on December 14, 2016. Retrieved December 14, 2016.

[wsj_oct2017-2] McMillan, Robert; Knutson, Ryan (October 3, 2017). "Yahoo Triples Estimate of Breached Accounts to 3". The Wall Street Journal. Archived from the original on January 26, 2021. Retrieved October 3, 2017.

[:2-3] Haselton, Todd (October 3, 2017). "Yahoo just said every single account was affected by 2013 attack — 3 billion in all". CNBC. Archived from the original on October 3, 2017. Retrieved October 3, 2017.

[:6-4] Trautman, Lawrence J.; Ormerod, Peter (February 9, 2017). "Corporate Directors' and Officers' Cybersecurity Standard of Care: The Yahoo Data Breach". American University Law Review. 66: 1231. doi:10.2139/ssrn.2883607. Retrieved May 1, 2024.

[5] Shabad, Rebecca (November 8, 2017). "Yahoo hack, Equifax data breach hearing: Richard Smith and Marissa Mayer will testify to Senate Commerce Committee". www.cbsnews.com. Retrieved March 26, 2024.

[:5-6] U.S. Department of Justice. "Indictment". Department of Justice. Retrieved March 26, 2024.

[Yahoo_Says_'State-Sponsored_Actor'_Hacked_500M_Accounts-7] Newcomb, Alyssa (September 22, 2016). "Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts". NBC News. Archived from the original on September 22, 2016. Retrieved September 22, 2016.

[faq-8] "Account Security Issue FAQs". Yahoo!. Archived from the original on September 22, 2016. Retrieved September 23, 2016.

[9] Shankar, Nithya, and Zareef Mohammed. “Surviving Data Breaches: A Multiple Case Study Analysis.” Journal of Comparative International Management 23.1 (2020): 35–54. Web.

[:4-10] Goodin, Dan (September 22, 2016). "Yahoo says half a billion accounts breached by nation-sponsored hackers". Ars Technica. Archived from the original on December 15, 2016. Retrieved December 15, 2016.

[:3-11] Perlroth, Nicole; Goel, Vindu (September 28, 2016). "Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say". The New York Times. Archived from the original on December 15, 2016. Retrieved December 15, 2016.

[12] Shankar, Nithya; Mohammed, Zareef (2020). "Surviving Data Breaches: A Multiple Case Study Analysis". Journal of Comparative International Management. 23: 35–54. doi:10.7202/1071508ar.

[motherboard_aug2016-13] Cox, Joseph (August 1, 2016). "Yahoo 'Aware' Hacker Is Advertising 200 Million Supposed Accounts on Dark Web". Vice. Archived from the original on December 15, 2016. Retrieved December 16, 2016.

[:0-14] "An Important Message to Yahoo Users on Security". www.businesswire.com. September 22, 2016. Retrieved March 26, 2024.

[BBC_23_Sept_2016-15] "Yahoo 'state' hackers stole data from 500 million users". BBC News. September 23, 2016. Archived from the original on September 23, 2016. Retrieved September 23, 2016.

[16] McMillan, Robert. "Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says". WSJ. Retrieved May 27, 2024.

[wash1-17] "Yahoo discovered hack leading to major data breach two years before it was disclosed". The Washington Post. Archived from the original on November 11, 2016. Retrieved November 10, 2016.

[tnyt1-18] Goel, Vindu (November 10, 2016). "Yahoo Employees Knew in 2014 About State-Sponsored Hacker Attack". The New York Times. Archived from the original on November 10, 2016. Retrieved November 10, 2016.

[wsj1-19] McMillan, Robert. "Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says". WSJ. The Wall Street Journal. Archived from the original on October 15, 2016. Retrieved October 15, 2016.

[bbc2-20] "Yahoo knew of 'state-backed' hack in 2014". BBC News. November 10, 2016. Archived from the original on November 10, 2016. Retrieved November 10, 2016.

[21] Vaas, Lisa (November 11, 2016). "Yahoo staff knew they were breached two years ago". Naked Security. Archived from the original on December 17, 2016. Retrieved December 12, 2016.

[22] Lawler, Richard (March 1, 2017). "Yahoo hackers accessed 32 million accounts with forged cookies". Engadget. Archived from the original on March 2, 2017. Retrieved March 1, 2017.

[:1-23] Rushe, Dominic (October 3, 2017). "Yahoo says all of its 3bn accounts were affected by 2013 hacking". The Guardian. ISSN 0261-3077. Retrieved March 26, 2024.

[24] Goel, Vindu (March 1, 2017). "Yahoo's Top Lawyer Resigns and C.E.O. Marissa Mayer Loses Bonus in Wake of Hack". The New York Times. Archived from the original on March 16, 2017. Retrieved March 15, 2017.

[25] Goel, Vindu (March 15, 2017). "Russian Agents Were Behind Yahoo Breach, U.S. Says". The New York Times. Archived from the original on March 16, 2017. Retrieved March 15, 2017.

[reuters_baratov-26] Raymond, Nate (November 24, 2017). "Canadian charged in Yahoo hacking case to plead guilty in U.S." Reuters. Archived from the original on November 26, 2017. Retrieved November 27, 2017.

[27] Braga, Matthew (March 17, 2017). "Here's how the FBI says Russian hackers stole Yahoo account secrets". CBC News. Retrieved May 1, 2024. Using a variety of techniques to bypass security measures, hackers sought access to myriad email accounts

[28] Eckel, Mike; Schreck, Carl (March 18, 2017). "Undercover FSB Officer Indicted By U.S. Worked For Moscow Investment Bank". Radio Free Europe/Radio Liberty. Retrieved May 1, 2024.

[29] Bennett, Kelly. "Karim Baratov, alleged Yahoo hacker, pleads not guilty in U.S. court".

[30] Moon, Mariella (May 30, 2018). "Attacker involved in 2014 Yahoo hack gets five years in prison". Engadget. Archived from the original on May 31, 2018. Retrieved May 30, 2018.

[31] Baratov, Karim (2023). Disconnected: A Memoir of the Yahoo Hacker. Retrieved March 26, 2024.

[reuters_dec192016-32] "Why Yahoo's Security Problems Are a Story of Too Little, Too Late". Reuters. December 19, 2016. Archived from the original on December 19, 2016. Retrieved December 19, 2016.

[Sued-33] Larson, Selena (September 23, 2016). "Yahoo facing lawsuits in the wake of massive data breach". CNN. Archived from the original on September 25, 2016. Retrieved September 25, 2016.

[34] Knutson, Ryan; Wells, Georgia (October 10, 2016). "Verizon CEO Says Evaluating Whether Yahoo Hack Had 'Material Impact'". The Wall Street Journal. ProQuest 1827509919. Archived from the original on February 22, 2017. Retrieved March 23, 2023.

[35] "Yahoo Data Breach: What Actually Happened?". BPB Online. Archived from the original on April 28, 2021. Retrieved April 28, 2021.

[36] "Verizon closes Yahoo deal, Mayer steps down". Reuters. June 14, 2017. Archived from the original on June 13, 2017. Retrieved June 14, 2017.

[37] "Verizon revises deal with Yahoo to $4.48 billion". Reuters. February 21, 2017. Archived from the original on February 22, 2017. Retrieved February 21, 2017 – via CNBC.

[38] La Monica, Paul (June 19, 2017). "So long, Yahoo. Hello ... Altaba?". CNN. Archived from the original on April 13, 2018. Retrieved April 24, 2018.

[39] Kastrenakes, Jacob (January 10, 2017). "Yahoo isn't really going away (at least, not yet)". The Verge. Retrieved April 2, 2024.

[40] "Letter to Marissa Mayer signed by 6 senators" (PDF). leahy.senate.gov. Archived (PDF) from the original on October 3, 2016. Retrieved September 30, 2016.

[41] Fisher, Dennis (September 28, 2016). "Senators Demand Answers of Mayer on Yahoo Data Breach". OnTheWire. Archived from the original on October 2, 2016. Retrieved September 30, 2016.

[42] Kuchler, Hannah (September 27, 2016). "US senators demand answers from Yahoo". The Financial Times. Archived from the original on March 23, 2023. Retrieved September 30, 2016.

[43] Kastrenakes, Jacob (April 24, 2018). "SEC issues $35 million fine over Yahoo failing to disclose data breach". The Verge. Archived from the original on April 24, 2018. Retrieved April 24, 2018.

[44] Merle, Renae (October 23, 2021). "Yahoo fined $35 million for failing to disclose cyber breach". Washington Post. ISSN 0190-8286. Retrieved April 2, 2024.

[45] Larson, Selena (September 23, 2016). "Yahoo facing lawsuits in the wake of massive data breach". CNNMoney. Retrieved May 27, 2024.

[46] Baron, Ethan (December 8, 2016). "Yahoo data-breach class-action lawsuits joined together in San Jose federal court". Silicon Beat. Archived from the original on December 11, 2016. Retrieved December 15, 2016.

[47] Stempel, Jonathan (August 31, 2017). "Yahoo must face litigation by data breach victims: U.S. judge". Reuters. Archived from the original on September 1, 2017. Retrieved August 31, 2017.

[48] Stempel, Jonathan (March 12, 2018). "Data breach victims can sue Yahoo in the United States: judge". Reuters. Archived from the original on March 12, 2018. Retrieved March 12, 2018.

[abcnews_oct_settlement-49] Liedtke, Michael (October 23, 2018). "Yahoo to pay $50M, other costs for massive security breach". ABC News. Archived from the original on October 23, 2018. Retrieved October 23, 2018.

[50] Fingas, Jon (January 29, 2019). "Judge rejects Yahoo's proposed settlement over data breaches". Engadget. Archived from the original on January 29, 2019. Retrieved January 29, 2019.

[51] Brodkin, Jon (April 10, 2019). "Yahoo tries to settle 3-billion-account data breach with $118 million payout". Ars Technica. Archived from the original on October 1, 2019. Retrieved October 1, 2019.

[52] "ARTICLE 29 Data Protection Working Party Letter To Yahoo!" (PDF). Archived (PDF) from the original on November 4, 2016. Retrieved November 2, 2016.

[53] Drozdiak, Natalia (October 28, 2016). "EU Issues Data-Protection Warning to WhatsApp, Yahoo". The Wall Street Journal. ProQuest 1833042031. Archived from the original on January 4, 2017. Retrieved March 23, 2023.

[54] Fioretti, Julia (October 28, 2016). "EU data protection watchdogs warn WhatsApp, Yahoo on privacy". Reuters. Archived from the original on October 29, 2016. Retrieved October 29, 2016.

[55] "Data Protection Commission". Data Protection Commission. Retrieved May 27, 2024.

[56] "Germany Slams Yahoo Over Cybersecurity Practices". Reuters. December 15, 2016. Archived from the original on December 16, 2016. Retrieved December 15, 2016.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

@@ Line 1: / Line 1: @@
 {{short description|Major data breaches which occurred at Yahoo!}}
+{{good article}}
 {{Use mdy dates|date=October 2017}}
-In 2013 and 2014, the Internet service company [[Yahoo!|Yahoo]] was subjected to two of the largest data breaches on record. Although Yahoo was aware, neither breach was revealed publicly until September 2016.
+In 2013 and 2014, the American web services company [[Yahoo!|Yahoo]] was subjected to two of the largest data breaches on record. Although Yahoo was aware, neither breach was revealed publicly until September 2016.
 The 2013 data breach occurred on Yahoo servers in August 2013 and affected all three billion user accounts. The 2014 breach affected over 500 million user accounts. Both breaches are considered the [[List of data breaches|largest ever discovered]] and included names, email addresses, phone numbers, birth dates, and security questions—both encrypted and unencrypted. When Yahoo made the breaches public in 2016, they acknowledged being aware of the second intrusion since 2014.
-These incidents not only led to the indictment of four individuals linked to the latter breach, including the Canadian hacker Karim Baratov who received a five-year prison sentence but also prompted widespread criticism of Yahoo for their delayed response. The fallout included a US $117.5 million class-action lawsuit settlement, a $35 million fine from the [[U.S. Securities and Exchange Commission]], scrutiny by the [[United States Congress]], and significant implications for [[Verizon Communications|Verizon Communication's]] 2017 acquisition of Yahoo.
+These incidents led to the indictment of four individuals linked to the latter breach, including the Canadian hacker Karim Baratov who received a five-year prison sentence and also prompted widespread criticism of Yahoo for their delayed response. The fallout included a U.S. $117.5 million class-action lawsuit settlement, a $35 million fine from the [[U.S. Securities and Exchange Commission]], scrutiny by the [[United States Congress]], and complications for [[Verizon Communications|Verizon Communication's]] 2017 acquisition of Yahoo.
 ==August 2013: breach==
 [[File:Marissa_Mayer,_World_Economic_Forum_2013_II.jpg|thumb|[[Marissa Mayer]], who was CEO of Yahoo at the time of the breaches, at the World Economic Forum 2013 ]]
-The first data breach occurred on Yahoo servers in August 2013.<ref name="nytimes dec2016">{{cite web | url=https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html | title=Yahoo Says 1 Billion User Accounts Were Hacked | first=Vindu | last=Goel | date=December 14, 2016 | access-date=December 14, 2016 | work=[[The New York Times]] | archive-date=December 14, 2016 | archive-url=https://web.archive.org/web/20161214224401/http://www.nytimes.com/2016/12/14/technology/yahoo-hack.html | url-status=live }}</ref> and affected all three billion user accounts.<ref name="wsj oct2017">{{cite web |last1=McMillan |first1=Robert |last2=Knutson |first2=Ryan |date=October 3, 2017 |title=Yahoo Triples Estimate of Breached Accounts to 3 |url=https://www.wsj.com/articles/yahoo-triples-estimate-of-breached-accounts-to-3-billion-1507062804 |url-status=live |archive-url=https://web.archive.org/web/20210126120636/https://www.wsj.com/articles/yahoo-triples-estimate-of-breached-accounts-to-3-billion-1507062804 |archive-date=January 26, 2021 |access-date=October 3, 2017 |work=[[The Wall Street Journal]]}}</ref><ref name=":2">{{cite web | url=https://www.cnbc.com/2017/10/03/yahoo-every-single-account-3-billion-people-affected-in-2013-attack.html | title=Yahoo just said every single account was affected by 2013 attack — 3 billion in all | first=Todd | last=Haselton | date=October 3, 2017 | access-date=October 3, 2017 | work=[[CNBC]] | archive-date=October 3, 2017 | archive-url=https://web.archive.org/web/20171003204206/https://www.cnbc.com/2017/10/03/yahoo-every-single-account-3-billion-people-affected-in-2013-attack.html | url-status=live }}</ref> Yahoo announced the breach on December 14, 2016.<ref name=":6">{{cite journal |last1=Trautman |first1=Lawrence J. |last2=Ormerod |first2=Peter |date=February 9, 2017 |title=Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach |url=https://ssrn.com/abstract=2883607 |journal=American University Law Review |volume=66 |pages=1231 |doi=10.2139/ssrn.2883607 |access-date=2024-05-01}}</ref> {{as of|2024}}, no information has been released about the method used. Former CEO of Yahoo [[Marissa Mayer]], who was CEO at the time of the breach, testified before Congress in 2017 that Yahoo had been unable to determine who perpetrated the 2013 breach.<ref>{{Cite web |last=Shabad |first=Rebecca |date=2017-11-08 |title=Yahoo hack, Equifax data breach hearing: Richard Smith and Marissa Mayer will testify to Senate Commerce Committee |url=https://www.cbsnews.com/live-news/senate-panel-holds-hearing-on-equifax-breach-consumer-data-security-live-updates/ |access-date=2024-03-26 |website=www.cbsnews.com |language=en-US}}</ref>
+The first data breach occurred on Yahoo servers in August 2013<ref name="nytimes dec2016">{{cite web | url=https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html | title=Yahoo Says 1 Billion User Accounts Were Hacked | first=Vindu | last=Goel | date=December 14, 2016 | access-date=December 14, 2016 | work=[[The New York Times]] | archive-date=December 14, 2016 | archive-url=https://web.archive.org/web/20161214224401/http://www.nytimes.com/2016/12/14/technology/yahoo-hack.html | url-status=live }}</ref> and affected all three billion user accounts.<ref name="wsj oct2017">{{cite web |last1=McMillan |first1=Robert |last2=Knutson |first2=Ryan |date=October 3, 2017 |title=Yahoo Triples Estimate of Breached Accounts to 3 |url=https://www.wsj.com/articles/yahoo-triples-estimate-of-breached-accounts-to-3-billion-1507062804 |url-status=live |archive-url=https://web.archive.org/web/20210126120636/https://www.wsj.com/articles/yahoo-triples-estimate-of-breached-accounts-to-3-billion-1507062804 |archive-date=January 26, 2021 |access-date=October 3, 2017 |work=[[The Wall Street Journal]]}}</ref><ref name=":2">{{cite web | url=https://www.cnbc.com/2017/10/03/yahoo-every-single-account-3-billion-people-affected-in-2013-attack.html | title=Yahoo just said every single account was affected by 2013 attack — 3 billion in all | first=Todd | last=Haselton | date=October 3, 2017 | access-date=October 3, 2017 | work=[[CNBC]] | archive-date=October 3, 2017 | archive-url=https://web.archive.org/web/20171003204206/https://www.cnbc.com/2017/10/03/yahoo-every-single-account-3-billion-people-affected-in-2013-attack.html | url-status=live }}</ref> Yahoo announced the breach on December 14, 2016.<ref name=":6">{{cite journal |last1=Trautman |first1=Lawrence J. |last2=Ormerod |first2=Peter |date=February 9, 2017 |title=Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach |url=https://ssrn.com/abstract=2883607 |journal=American University Law Review |volume=66 |pages=1231 |doi=10.2139/ssrn.2883607 |access-date=2024-05-01}}</ref> [[Marissa Mayer]], who was CEO of Yahoo at the time of the breach, testified before Congress in 2017 that Yahoo had been unable to determine who perpetrated the 2013 breach.<ref>{{Cite web |last=Shabad |first=Rebecca |date=2017-11-08 |title=Yahoo hack, Equifax data breach hearing: Richard Smith and Marissa Mayer will testify to Senate Commerce Committee |url=https://www.cbsnews.com/live-news/senate-panel-holds-hearing-on-equifax-breach-consumer-data-security-live-updates/ |access-date=2024-03-26 |website=www.cbsnews.com |language=en-US}}</ref>
 == Early 2014: security culture at Yahoo ==
-A year after  Yahoo was identified by the American whistleblower [[Edward Snowden]] as a frequent target for state-sponsored hackers in 2013, the company hired a dedicated chief information security officer, [[Alex Stamos]]. While Stamos' hiring was praised by technology experts as showing Yahoo's commitment towards better security, Yahoo CEO [[Marissa Mayer]] had reportedly denied Stamos and his security team sufficient funds to implement the security measures they recommended, and he departed the company by 2015.<ref name=":6" />
+A year after Yahoo was identified by the American whistleblower [[Edward Snowden]] as a frequent target for state-sponsored hackers in 2013, the company hired a dedicated chief information security officer, [[Alex Stamos]]. While Stamos' hiring was praised by technology experts as showing Yahoo's commitment towards better security, Yahoo CEO Marissa Mayer had reportedly denied Stamos and his security team sufficient funds to implement the security measures they recommended, and he departed the company by 2015.<ref name=":6" />
 ==Late 2014: breach==
-During November or December 2014 a hacker, believed to by the US Justice Department to be the Russian National [[Alexey Belan]], copied a November 2014 backup of Yahoo's User Account Database, containing details of over 500 million accounts to a computer under his control.<ref name=":5">{{cite web |author=U.S. Department of Justice |date= |title=Indictment |url=https://www.justice.gov/opa/press-release/file/948201/dl?inline |publisher=Department of Justice |access-date=2024-03-26}}</ref> The User Account Database included data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, [[Cryptographic hash function#Password verification|hashed]] passwords, and in some cases, encrypted or unencrypted security questions and answers through manipulated [[web cookies]].<ref name="Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts">{{cite web | url=http://www.nbcnews.com/tech/tech-news/your-yahoo-account-was-probably-hacked-company-set-confirm-massive-n652586 | title=Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts | first=Alyssa | last=Newcomb | publisher=NBC News | date=September 22, 2016 | access-date=September 22, 2016 | archive-date=September 22, 2016 | archive-url=https://web.archive.org/web/20160922212631/http://www.nbcnews.com/tech/tech-news/your-yahoo-account-was-probably-hacked-company-set-confirm-massive-n652586 | url-status=live }}</ref><ref name="faq">{{cite web |title=Account Security Issue FAQs |url=https://help.yahoo.com/kb/account/SLN27925.html |publisher=Yahoo! |access-date=September 23, 2016 |archive-date=September 22, 2016 |archive-url=https://web.archive.org/web/20160922191232/https://help.yahoo.com/kb/account/SLN27925.html |url-status=live }}</ref><ref>Shankar, Nithya, and Zareef Mohammed. “Surviving Data Breaches: A Multiple Case Study Analysis.” Journal of Comparative International Management 23.1 (2020): 35–54. Web.</ref> The majority of Yahoo's passwords used the [[bcrypt]] hashing algorithm, which is considered difficult to crack, with the rest using the older [[MD5]] algorithm, which can be broken rather quickly.<ref name=":4">{{cite web | url=https://arstechnica.com/security/2016/09/yahoo-says-half-a-billion-accounts-breached-by-nation-sponsored-hackers/ | title=Yahoo says half a billion accounts breached by nation-sponsored hackers | first=Dan | last=Goodin | date=September 22, 2016 | access-date=December 15, 2016 | work=[[Ars Technica]] | archive-date=December 15, 2016 | archive-url=https://web.archive.org/web/20161215005332/http://arstechnica.com/security/2016/09/yahoo-says-half-a-billion-accounts-breached-by-nation-sponsored-hackers/ | url-status=live }}</ref>
+During November or December 2014 a hacker, believed by the U.S. Justice Department to be the Russian national [[Alexey Belan]], copied a November 2014 backup of Yahoo's User Account Database, containing details of over 500 million accounts to a computer under his control.<ref name=":5">{{cite web |author=U.S. Department of Justice |date= |title=Indictment |url=https://www.justice.gov/opa/press-release/file/948201/dl?inline |publisher=Department of Justice |access-date=2024-03-26}}</ref> The User Account Database included data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, [[Cryptographic hash function#Password verification|hashed]] passwords, and in some cases, encrypted or unencrypted security questions and answers through manipulated [[web cookies]].<ref name="Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts">{{cite web | url=http://www.nbcnews.com/tech/tech-news/your-yahoo-account-was-probably-hacked-company-set-confirm-massive-n652586 | title=Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts | first=Alyssa | last=Newcomb | publisher=NBC News | date=September 22, 2016 | access-date=September 22, 2016 | archive-date=September 22, 2016 | archive-url=https://web.archive.org/web/20160922212631/http://www.nbcnews.com/tech/tech-news/your-yahoo-account-was-probably-hacked-company-set-confirm-massive-n652586 | url-status=live }}</ref><ref name="faq">{{cite web |title=Account Security Issue FAQs |url=https://help.yahoo.com/kb/account/SLN27925.html |publisher=Yahoo! |access-date=September 23, 2016 |archive-date=September 22, 2016 |archive-url=https://web.archive.org/web/20160922191232/https://help.yahoo.com/kb/account/SLN27925.html |url-status=live }}</ref><ref>Shankar, Nithya, and Zareef Mohammed. “Surviving Data Breaches: A Multiple Case Study Analysis.” Journal of Comparative International Management 23.1 (2020): 35–54. Web.</ref> The majority of Yahoo's passwords used the [[bcrypt]] hashing algorithm, which is considered difficult to crack, with the rest using the older [[MD5]] algorithm, which can be broken rather quickly.<ref name=":4">{{cite web | url=https://arstechnica.com/security/2016/09/yahoo-says-half-a-billion-accounts-breached-by-nation-sponsored-hackers/ | title=Yahoo says half a billion accounts breached by nation-sponsored hackers | first=Dan | last=Goodin | date=September 22, 2016 | access-date=December 15, 2016 | work=[[Ars Technica]] | archive-date=December 15, 2016 | archive-url=https://web.archive.org/web/20161215005332/http://arstechnica.com/security/2016/09/yahoo-says-half-a-billion-accounts-breached-by-nation-sponsored-hackers/ | url-status=live }}</ref>
-From October 2014 to at least November 2016, Belan and at least two hackers connected to him accessed user account information and contents for various unlawful actions including searching emails for gift voucher codes, deliberately targeting the accounts of persons of interest, improving the search ranking of businesses they had an interest in, and using the Yahoo data to breach accounts on other platforms such as Gmail.<ref name=":5" /> As part of this process, the hackers enlisted Canadian hacker Karim Baratov to break into accounts on other platforms.<ref name=":3">{{cite web |last1=Perlroth |first1=Nicole |last2=Goel |first2=Vindu |date=September 28, 2016 |title=Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say |url=https://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0 |url-status=live |archive-url=https://web.archive.org/web/20161215205623/http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0 |archive-date=December 15, 2016 |access-date=December 15, 2016 |work=[[The New York Times]]}}</ref>
+From October 2014 to at least November 2016, Belan and at least two hackers connected to him accessed user account information and contents for various unlawful actions including searching emails for gift voucher codes, deliberately targeting the accounts of persons of interest, improving the search ranking of businesses they had an interest in, and using the Yahoo data to breach accounts on other platforms such as [[Gmail]].<ref name=":5" /> As part of this process, the hackers enlisted Canadian hacker Karim Baratov to break into accounts on other platforms.<ref name=":3">{{cite web |last1=Perlroth |first1=Nicole |last2=Goel |first2=Vindu |date=September 28, 2016 |title=Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say |url=https://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0 |url-status=live |archive-url=https://web.archive.org/web/20161215205623/http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0 |archive-date=December 15, 2016 |access-date=December 15, 2016 |work=[[The New York Times]]}}</ref><ref>{{cite journal |last1=Shankar |first1=Nithya |last2=Mohammed |first2=Zareef |year=2020 |title=Surviving Data Breaches: A Multiple Case Study Analysis |journal=Journal of Comparative International Management |volume=23 |pages=35–54 |doi=10.7202/1071508ar|doi-access=free }}</ref>
 ==July 2016 to October 2017: public disclosures==
 In June 2016, it was reported that account names and passwords for about 200 million Yahoo accounts was presented for sale on the [[darknet market]] site [[TheRealDeal]].<ref name="motherboard aug2016">{{cite web |last=Cox |first=Joseph |date=August 1, 2016 |title=Yahoo 'Aware' Hacker Is Advertising 200 Million Supposed Accounts on Dark Web |url=http://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web |url-status=live |archive-url=https://web.archive.org/web/20161215210247/https://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web |archive-date=December 15, 2016 |access-date=December 16, 2016 |work=[[Vice (magazine)|Vice]]}}</ref> Yahoo stated it was aware of the data and was evaluating it, cautioning users about the situation but did not reset account passwords at that time.<ref name="motherboard aug2016" />
-Yahoo officially reported the 2014 breach to the public on September 22, 2016. Yahoo's actions to deal with the breach included invalidating unencrypted security questions and answers and asking potentially affected users to change their passwords.<ref name=":0">{{Cite web |date=2016-09-22 |title=An Important Message to Yahoo Users on Security |url=https://www.businesswire.com/news/home/20160922006198/en/An-Important-Message-to-Yahoo-Users-on-Security |access-date=2024-03-26 |website=www.businesswire.com |language=en}}</ref> Yahoo also claimed that there was no evidence that the attackers were still in the system.<ref name=":0" /> The [[Federal Bureau of Investigation]] (FBI) confirmed that it was investigating the matter.<ref name="BBC_23_Sept_2016">{{cite news |date=September 23, 2016 |title=Yahoo 'state' hackers stole data from 500 million users |url=https://www.bbc.co.uk/news/world-us-canada-37447016 |url-status=live |archive-url=https://web.archive.org/web/20160923002317/http://www.bbc.co.uk/news/world-us-canada-37447016 |archive-date=September 23, 2016 |access-date=September 23, 2016 |publisher=[[BBC News]]}}</ref>
+Yahoo officially reported the 2014 breach to the public on September 22, 2016. Yahoo's actions to deal with the breach included invalidating unencrypted security questions and answers and asking potentially affected users to change their passwords.<ref name=":0">{{Cite web |date=2016-09-22 |title=An Important Message to Yahoo Users on Security |url=https://www.businesswire.com/news/home/20160922006198/en/An-Important-Message-to-Yahoo-Users-on-Security |access-date=2024-03-26 |website=www.businesswire.com |language=en}}</ref> Yahoo also claimed that there was no evidence that the attackers were still in the system and that the attack was state-sponsored.<ref name=":0" /> The [[Federal Bureau of Investigation]] (FBI) confirmed that it was investigating the matter.<ref name="BBC_23_Sept_2016">{{cite news |date=September 23, 2016 |title=Yahoo 'state' hackers stole data from 500 million users |url=https://www.bbc.co.uk/news/world-us-canada-37447016 |url-status=live |archive-url=https://web.archive.org/web/20160923002317/http://www.bbc.co.uk/news/world-us-canada-37447016 |archive-date=September 23, 2016 |access-date=September 23, 2016 |publisher=[[BBC News]]}}</ref> The [[The Wall Street Journal|Wall Street Journal]] reported that a security firm, which had access to a portion of Yahoo's database, believed that the attackers were criminal in nature rather than state sponsored, and that the database had been sold repeatedly.<ref>{{Cite news |last=McMillan |first=Robert |title=Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says |url=https://www.wsj.com/articles/yahoo-hackers-were-criminals-rather-than-state-sponsored-security-firm-says-1475081065 |access-date=2024-05-27 |work=WSJ |language=en-US}}</ref>
-In its November 2016 [[U.S. Securities and Exchange Commission|SEC]] filing, Yahoo reported they had been aware of an intrusion into its network in 2014, but had not understood the extent of the breach until it began an investigation of a separate data breach incident around July 2016.<ref name="wash1">{{cite news|title=Yahoo discovered hack leading to major data breach two years before it was disclosed|url=https://www.washingtonpost.com/news/the-switch/wp/2016/11/10/yahoo-discovered-hack-leading-to-major-data-breach-two-years-before-it-was-disclosed/|newspaper=The Washington Post|access-date=November 10, 2016|archive-date=November 11, 2016|archive-url=https://web.archive.org/web/20161111002926/https://www.washingtonpost.com/news/the-switch/wp/2016/11/10/yahoo-discovered-hack-leading-to-major-data-breach-two-years-before-it-was-disclosed/|url-status=live}}</ref><ref name="tnyt1">{{cite news|title=Yahoo Employees Knew in 2014 About State-Sponsored Hacker Attack|url=https://www.nytimes.com/2016/11/10/technology/yahoo-employees-knew-in-2014-about-hacker-attack.html|work=The New York Times|date=November 10, 2016 |access-date=November 10, 2016|archive-date=November 10, 2016|archive-url=https://web.archive.org/web/20161110033706/http://www.nytimes.com/2016/11/10/technology/yahoo-employees-knew-in-2014-about-hacker-attack.html|url-status=live|last1=Goel |first1=Vindu }}</ref> Yahoo's previous SEC filing on September 9, prior to the breach announcement, had stated that it was not aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.<ref name="wsj1">{{cite news|last1=McMillan|first1=Robert|title=Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says|newspaper=WSJ |url=https://www.wsj.com/articles/yahoo-hackers-were-criminals-rather-than-state-sponsored-security-firm-says-1475081065|publisher=The Wall Street Journal|access-date=October 15, 2016|archive-date=October 15, 2016|archive-url=https://web.archive.org/web/20161015064124/http://www.wsj.com/articles/yahoo-hackers-were-criminals-rather-than-state-sponsored-security-firm-says-1475081065|url-status=live}}</ref> The November filing noted that the company believed one of the data breaches had been conducted through a [[HTTP cookie|cookie]]-based attack that allowed hackers to authenticate as any other user without their password.<ref name="wash1" /><ref name="bbc2">{{cite news|title=Yahoo knew of 'state-backed' hack in 2014|work=BBC News |date=November 10, 2016 |url=https://www.bbc.co.uk/news/technology-37936219|access-date=November 10, 2016|archive-date=November 10, 2016|archive-url=https://web.archive.org/web/20161110153256/http://www.bbc.co.uk/news/technology-37936219|url-status=live}}</ref><ref>{{cite web|last1=Vaas|first1=Lisa|title=Yahoo staff knew they were breached two years ago|date=November 11, 2016 |url=https://nakedsecurity.sophos.com/2016/11/11/yahoo-staff-knew-they-were-breached-two-years-ago/|publisher=Naked Security|access-date=December 12, 2016|archive-date=December 17, 2016|archive-url=https://web.archive.org/web/20161217075432/https://nakedsecurity.sophos.com/2016/11/11/yahoo-staff-knew-they-were-breached-two-years-ago/|url-status=live}}</ref> (In an SEC regulatory filing in 2017, Yahoo reported that 32 million accounts were accessed through this cookie-based attack through 2015 and 2016.<ref>{{Cite web |last=Lawler |first=Richard |date=March 1, 2017 |title=Yahoo hackers accessed 32 million accounts with forged cookies |url=https://www.engadget.com/2017/03/01/yahoo-hackers-accessed-32-million-accounts-with-forged-cookies/ |url-status=live |archive-url=https://web.archive.org/web/20170302043137/https://www.engadget.com/2017/03/01/yahoo-hackers-accessed-32-million-accounts-with-forged-cookies/ |archive-date=March 2, 2017 |access-date=March 1, 2017 |work=[[Engadget]]}}</ref>)
+In its November 2016 [[U.S. Securities and Exchange Commission]] (SEC) filing, Yahoo reported they had been aware of an intrusion into its network in 2014, but had not understood the extent of the breach until it began an investigation of a separate data breach incident around July 2016.<ref name="wash1">{{cite news|title=Yahoo discovered hack leading to major data breach two years before it was disclosed|url=https://www.washingtonpost.com/news/the-switch/wp/2016/11/10/yahoo-discovered-hack-leading-to-major-data-breach-two-years-before-it-was-disclosed/|newspaper=The Washington Post|access-date=November 10, 2016|archive-date=November 11, 2016|archive-url=https://web.archive.org/web/20161111002926/https://www.washingtonpost.com/news/the-switch/wp/2016/11/10/yahoo-discovered-hack-leading-to-major-data-breach-two-years-before-it-was-disclosed/|url-status=live}}</ref><ref name="tnyt1">{{cite news|title=Yahoo Employees Knew in 2014 About State-Sponsored Hacker Attack|url=https://www.nytimes.com/2016/11/10/technology/yahoo-employees-knew-in-2014-about-hacker-attack.html|work=The New York Times|date=November 10, 2016 |access-date=November 10, 2016|archive-date=November 10, 2016|archive-url=https://web.archive.org/web/20161110033706/http://www.nytimes.com/2016/11/10/technology/yahoo-employees-knew-in-2014-about-hacker-attack.html|url-status=live|last1=Goel |first1=Vindu }}</ref> Yahoo's previous SEC filing on September 9, prior to the breach announcement, had stated that it was not aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.<ref name="wsj1">{{cite news|last1=McMillan|first1=Robert|title=Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says|newspaper=WSJ |url=https://www.wsj.com/articles/yahoo-hackers-were-criminals-rather-than-state-sponsored-security-firm-says-1475081065|publisher=The Wall Street Journal|access-date=October 15, 2016|archive-date=October 15, 2016|archive-url=https://web.archive.org/web/20161015064124/http://www.wsj.com/articles/yahoo-hackers-were-criminals-rather-than-state-sponsored-security-firm-says-1475081065|url-status=live}}</ref> The November filing noted that the company believed one of the data breaches had been conducted through a [[HTTP cookie|cookie]]-based attack that allowed hackers to authenticate as any other user without their password.<ref name="wash1" /><ref name="bbc2">{{cite news|title=Yahoo knew of 'state-backed' hack in 2014|work=BBC News |date=November 10, 2016 |url=https://www.bbc.co.uk/news/technology-37936219|access-date=November 10, 2016|archive-date=November 10, 2016|archive-url=https://web.archive.org/web/20161110153256/http://www.bbc.co.uk/news/technology-37936219|url-status=live}}</ref><ref>{{cite web|last1=Vaas|first1=Lisa|title=Yahoo staff knew they were breached two years ago|date=November 11, 2016 |url=https://nakedsecurity.sophos.com/2016/11/11/yahoo-staff-knew-they-were-breached-two-years-ago/|publisher=Naked Security|access-date=December 12, 2016|archive-date=December 17, 2016|archive-url=https://web.archive.org/web/20161217075432/https://nakedsecurity.sophos.com/2016/11/11/yahoo-staff-knew-they-were-breached-two-years-ago/|url-status=live}}</ref> (In an SEC regulatory filing in 2017, Yahoo reported that 32 million accounts were accessed through this cookie-based attack through 2015 and 2016.<ref>{{Cite web |last=Lawler |first=Richard |date=March 1, 2017 |title=Yahoo hackers accessed 32 million accounts with forged cookies |url=https://www.engadget.com/2017/03/01/yahoo-hackers-accessed-32-million-accounts-with-forged-cookies/ |url-status=live |archive-url=https://web.archive.org/web/20170302043137/https://www.engadget.com/2017/03/01/yahoo-hackers-accessed-32-million-accounts-with-forged-cookies/ |archive-date=March 2, 2017 |access-date=March 1, 2017 |work=[[Engadget]]}}</ref>)
 In December 2016, Yahoo disclosed the 2013 breach, and that one billion user accounts had been compromised.<ref name=":1">{{Cite news |last=Rushe |first=Dominic |date=2017-10-03 |title=Yahoo says all of its 3bn accounts were affected by 2013 hacking |url=https://www.theguardian.com/technology/2017/oct/03/yahoo-says-all-of-its-3bn-accounts-were-affected-by-2013-hacking |access-date=2024-03-26 |work=The Guardian |language=en-GB |issn=0261-3077}}</ref> Almost a year later, in October 2017 they revised that estimate and reported that all three billion Yahoo accounts had been compromised in the breach.<ref name=":1" />
-Yahoo's internal review of the situation found that Mayer and other key executives knew of the intrusions but failed to inform the company or take steps to prevent further breaches. The review led to the resignation of the company's General Counsel, Ronald S. Bell by March 2017, and Mayer's $12million<ref>{{Cite web |title=Investigation Shows High-Level Involvement in Two Hacks of Yahoo Customer Data |url=https://www.govtech.com/security/Investigation-Shows-in-High-Level-Involvement-in-Two-Hacks-of-Yahoo-Customer-Data.html |access-date=2024-05-25 |website=GovTech |language=en}}</ref> equity compensation and bonus for 2016 and 2017 was pulled.<ref>{{cite web |last=Goel |first=Vindu |date=March 1, 2017 |title=Yahoo's Top Lawyer Resigns and C.E.O. Marissa Mayer Loses Bonus in Wake of Hack |url=https://www.nytimes.com/2017/03/01/technology/yahoo-hack-lawyer-resigns-ceo-bonus.html |url-status=live |archive-url=https://web.archive.org/web/20170316013736/https://www.nytimes.com/2017/03/01/technology/yahoo-hack-lawyer-resigns-ceo-bonus.html |archive-date=March 16, 2017 |access-date=March 15, 2017 |work=[[The New York Times]]}}</ref>
+Yahoo's internal review of the situation found that Mayer and other key executives knew of the intrusions but failed to inform the company or take steps to prevent further breaches. The review led to the resignation of the company's General Counsel, Ronald S. Bell by March 2017, and Mayer's $12 million equity compensation and bonus for 2016 and 2017 was pulled.<ref>{{cite web |last=Goel |first=Vindu |date=March 1, 2017 |title=Yahoo's Top Lawyer Resigns and C.E.O. Marissa Mayer Loses Bonus in Wake of Hack |url=https://www.nytimes.com/2017/03/01/technology/yahoo-hack-lawyer-resigns-ceo-bonus.html |url-status=live |archive-url=https://web.archive.org/web/20170316013736/https://www.nytimes.com/2017/03/01/technology/yahoo-hack-lawyer-resigns-ceo-bonus.html |archive-date=March 16, 2017 |access-date=March 15, 2017 |work=[[The New York Times]]}}</ref>
 ==Prosecution==
@@ Line 38: / Line 39: @@
 The four men accused include [[hacker]] Alexsey Belan who was on the [[FBI Ten Most Wanted Fugitives]] list, FSB agents [[Dmitry Dokuchaev]] and Igor Sechin who the FBI accused of paying Belan and other hackers to conduct the hack, and Canadian hacker Karim Baratov. The FBI claimed that Dokuchaev and Sushchin paid Karim Baratov to use data obtained by the Yahoo breaches to break into about 80 non-Yahoo accounts of specific targets.<ref name="reuters baratov">{{cite web | url=https://www.reuters.com/article/us-yahoo-cyber/canadian-charged-in-yahoo-hacking-case-to-plead-guilty-in-u-s-idUSKBN1DO2PJ | title=Canadian charged in Yahoo hacking case to plead guilty in U.S. | first=Nate | last=Raymond | date=November 24, 2017 | access-date=November 27, 2017 | publisher=[[Reuters]] | archive-date=November 26, 2017 | archive-url=https://web.archive.org/web/20171126105049/https://www.reuters.com/article/us-yahoo-cyber/canadian-charged-in-yahoo-hacking-case-to-plead-guilty-in-u-s-idUSKBN1DO2PJ | url-status=live }}</ref> Russian officials have denied any involvement.<ref>{{cite web |last=Braga |first=Matthew |date=2017-03-17 |title=Here's how the FBI says Russian hackers stole Yahoo account secrets |url=https://www.cbc.ca/news/science/russian-yahoo-hackers-indictment-500-million-emails-how-1.4029532 |access-date=2024-05-01 |publisher=CBC News |quote=Using a variety of techniques to bypass security measures, hackers sought access to myriad email accounts}}</ref><ref>{{Cite news |last=Eckel |first=Mike |last2=Schreck |first2=Carl |date=2017-03-18 |title=Undercover FSB Officer Indicted By U.S. Worked For Moscow Investment Bank |url=https://www.rferl.org/a/russia-fsb-officer-indicted-worked-moscow-investment-bank/28377570.html |access-date=2024-05-01 |work=Radio Free Europe/Radio Liberty |language=en}}</ref>
-Baratov, the only man arrested, was extradited to the United States in August 2017<ref>{{Cite web |last=Bennett |first=Kelly |title=Karim Baratov, alleged Yahoo hacker, pleads not guilty in U.S. court |url=https://www.cbc.ca/news/canada/hamilton/karim-baratov-alleged-yahoo-hacker-pleads-not-guilty-in-u-s-court-1.4259623}}</ref>. He pled guilty, admitting to hacking into at least 80 email accounts on behalf of Russian contacts. He was charged with nine counts of hacking, and in May 2018 sentenced to 5 years in prison and ordered to pay $2.25 million and restitution to his victims.<ref>{{cite web | url = https://www.engadget.com/2018/05/30/yahoo-hacker-sentence/ | title = Attacker involved in 2014 Yahoo hack gets five years in prison | first = Mariella | last = Moon | date = May 30, 2018 | access-date = May 30, 2018 | work = [[Engadget]] | archive-date = May 31, 2018 | archive-url = https://web.archive.org/web/20180531020408/https://www.engadget.com/2018/05/30/yahoo-hacker-sentence/ | url-status = live }}</ref> His memoir, published in 2023, describes a party lifestyle funded by hacking into email accounts of thousands of people.<ref>{{Cite book |last=Baratov |first=Karim |url=https://www.amazon.co.uk/Disconnected-Memoir-Hacker-Karim-Baratov-ebook/dp/B0BSVHWKS9/ref=tmm_kin_swatch_0?_encoding=UTF8&qid=&sr= |title=Disconnected: A Memoir of the Yahoo Hacker |year=2023 |access-date=2024-03-26}}</ref>
+Baratov, the only man arrested, was extradited to the United States in August 2017.<ref>{{Cite web |last=Bennett |first=Kelly |title=Karim Baratov, alleged Yahoo hacker, pleads not guilty in U.S. court |url=https://www.cbc.ca/news/canada/hamilton/karim-baratov-alleged-yahoo-hacker-pleads-not-guilty-in-u-s-court-1.4259623}}</ref> He pled guilty, admitting to hacking into at least 80 email accounts on behalf of Russian contacts. He was charged with nine counts of hacking, and in May 2018 sentenced to 5 years in prison and ordered to pay $2.25 million and restitution to his victims.<ref>{{cite web | url = https://www.engadget.com/2018/05/30/yahoo-hacker-sentence/ | title = Attacker involved in 2014 Yahoo hack gets five years in prison | first = Mariella | last = Moon | date = May 30, 2018 | access-date = May 30, 2018 | work = [[Engadget]] | archive-date = May 31, 2018 | archive-url = https://web.archive.org/web/20180531020408/https://www.engadget.com/2018/05/30/yahoo-hacker-sentence/ | url-status = live }}</ref> His memoir, published in 2023, describes a party lifestyle funded by hacking into email accounts of thousands of people.<ref>{{Cite book |last=Baratov |first=Karim |url=https://www.amazon.co.uk/Disconnected-Memoir-Hacker-Karim-Baratov-ebook/dp/B0BSVHWKS9/ref=tmm_kin_swatch_0?_encoding=UTF8&qid=&sr= |title=Disconnected: A Memoir of the Yahoo Hacker |year=2023 |access-date=2024-03-26}}</ref>
 ==Reactions and criticism ==
@@ Line 47: / Line 48: @@
 ===United States government===
-In a letter to Mayer, six U.S. Senators ([[Elizabeth Warren]], [[Patrick Leahy]], [[Al Franken]], [[Richard Blumenthal]], [[Ron Wyden]] and [[Ed Markey]]) demanded answers on when Yahoo discovered the last 2014 breach, and why it took so long to disclose it to the public, calling the time lag between the security breach and its disclosure "unacceptable".<ref>{{cite web|title=Letter to Marissa Mayer signed by 6 senators|url=https://www.leahy.senate.gov/imo/media/doc/9-27-16%20Yahoo%20Breach%20Letter.pdf|website=leahy.senate.gov|access-date=September 30, 2016|archive-date=October 3, 2016|archive-url=https://web.archive.org/web/20161003140602/https://www.leahy.senate.gov/imo/media/doc/9-27-16%20Yahoo%20Breach%20Letter.pdf|url-status=live}}</ref><ref>{{cite web|last1=Fisher|first1=Dennis|title=Senators Demand Answers of Mayer on Yahoo Data Breach|url=https://www.onthewire.io/senators-demand-answers-of-mayer-on-yahoo-data-breach/|publisher=OnTheWire|access-date=September 30, 2016|date=28 September 2016|archive-date=October 2, 2016|archive-url=https://web.archive.org/web/20161002162913/https://www.onthewire.io/senators-demand-answers-of-mayer-on-yahoo-data-breach/|url-status=live}}</ref><ref>{{cite news|last1=Kuchler|first1=Hannah|title=US senators demand answers from Yahoo|url=http://www.ft.com/cms/s/0/36fd9132-84e1-11e6-a29c-6e7d9515ad15.html|newspaper=The Financial Times|date=September 27, 2016 |access-date=September 30, 2016|url-access=subscription|archive-date=March 23, 2023|archive-url=https://web.archive.org/web/20230323184159/https://www.ft.com/content/36fd9132-84e1-11e6-a29c-6e7d9515ad15|url-status=live}}</ref> On September 26, 2016, senator [[Mark Warner]] asked the [[U.S. Securities and Exchange Commission]] (SEC) to investigate whether Yahoo and its senior executives fulfilled their obligations under federal securities laws to properly disclose the attack. In 2017, the SEC announced a $35 million fine against [[Altaba]] for failure to disclose the 2014 breach in a timely manner.<ref>{{cite web |last=Kastrenakes |first=Jacob |date=April 24, 2018 |title=SEC issues $35 million fine over Yahoo failing to disclose data breach |url=https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-breach-35-million |url-status=live |archive-url=https://web.archive.org/web/20180424182229/https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-breach-35-million |archive-date=April 24, 2018 |access-date=April 24, 2018 |work=[[The Verge]]}}</ref><ref>{{Cite news |last=Merle |first=Renae |date=2021-10-23 |title=Yahoo fined $35 million for failing to disclose cyber breach |url=https://www.washingtonpost.com/news/business/wp/2018/04/24/yahoo-fined-35-million-for-failing-to-disclose-cyber-breach/ |access-date=2024-04-02 |newspaper=Washington Post |language=en-US |issn=0190-8286}}</ref>
+In a letter to Mayer, six U.S. Senators ([[Elizabeth Warren]], [[Patrick Leahy]], [[Al Franken]], [[Richard Blumenthal]], [[Ron Wyden]] and [[Ed Markey]]) demanded answers on when Yahoo discovered the last 2014 breach, and why it took so long to disclose it to the public, calling the time lag between the security breach and its disclosure "unacceptable".<ref>{{cite web|title=Letter to Marissa Mayer signed by 6 senators|url=https://www.leahy.senate.gov/imo/media/doc/9-27-16%20Yahoo%20Breach%20Letter.pdf|website=leahy.senate.gov|access-date=September 30, 2016|archive-date=October 3, 2016|archive-url=https://web.archive.org/web/20161003140602/https://www.leahy.senate.gov/imo/media/doc/9-27-16%20Yahoo%20Breach%20Letter.pdf|url-status=live}}</ref><ref>{{cite web|last1=Fisher|first1=Dennis|title=Senators Demand Answers of Mayer on Yahoo Data Breach|url=https://www.onthewire.io/senators-demand-answers-of-mayer-on-yahoo-data-breach/|publisher=OnTheWire|access-date=September 30, 2016|date=28 September 2016|archive-date=October 2, 2016|archive-url=https://web.archive.org/web/20161002162913/https://www.onthewire.io/senators-demand-answers-of-mayer-on-yahoo-data-breach/|url-status=live}}</ref><ref>{{cite news|last1=Kuchler|first1=Hannah|title=US senators demand answers from Yahoo|url=http://www.ft.com/cms/s/0/36fd9132-84e1-11e6-a29c-6e7d9515ad15.html|newspaper=The Financial Times|date=September 27, 2016 |access-date=September 30, 2016|url-access=subscription|archive-date=March 23, 2023|archive-url=https://web.archive.org/web/20230323184159/https://www.ft.com/content/36fd9132-84e1-11e6-a29c-6e7d9515ad15|url-status=live}}</ref> On September 26, 2016, senator [[Mark Warner]] asked the U.S. Securities and Exchange Commission (SEC) to investigate whether Yahoo and its senior executives fulfilled their obligations under federal securities laws to properly disclose the attack. In 2017, the SEC announced a $35 million fine against [[Altaba]] for failure to disclose the 2014 breach in a timely manner.<ref>{{cite web |last=Kastrenakes |first=Jacob |date=April 24, 2018 |title=SEC issues $35 million fine over Yahoo failing to disclose data breach |url=https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-breach-35-million |url-status=live |archive-url=https://web.archive.org/web/20180424182229/https://www.theverge.com/2018/4/24/17275994/yahoo-sec-fine-2014-data-breach-35-million |archive-date=April 24, 2018 |access-date=April 24, 2018 |work=[[The Verge]]}}</ref><ref>{{Cite news |last=Merle |first=Renae |date=2021-10-23 |title=Yahoo fined $35 million for failing to disclose cyber breach |url=https://www.washingtonpost.com/news/business/wp/2018/04/24/yahoo-fined-35-million-for-failing-to-disclose-cyber-breach/ |access-date=2024-04-02 |newspaper=Washington Post |language=en-US |issn=0190-8286}}</ref>
 ===Class action lawsuits===
-In November 2016, it was reported that 23 lawsuits related to the late 2014 breach had been filed against Yahoo.<ref name="tnyt1" /> In one lawsuit, filed in the [[United States District Court for the Southern District of California|U.S. District Court for the Southern District of California]] in [[San Diego, California|San Diego]], the plaintiffs contend that the hack caused an "intrusion into personal financial matters."
+In November 2016, it was reported that 23 lawsuits related to the late 2014 breach had been filed against Yahoo.<ref name="tnyt1" /> In one lawsuit, filed in the [[United States District Court for the Southern District of California|U.S. District Court for the Southern District of California]] in [[San Diego, California|San Diego]], the plaintiffs contended that the hack caused an "intrusion into personal financial matters."<ref>{{Cite web |last=Larson |first=Selena |date=2016-09-23 |title=Yahoo facing lawsuits in the wake of massive data breach |url=https://money.cnn.com/2016/09/23/news/companies/yahoo-sued-data-breach/index.html |access-date=2024-05-27 |website=CNNMoney}}</ref>
-Five of these 23 cases were combined into a single suit in early December 2016.<ref>{{Cite web | url=http://www.siliconbeat.com/2016/12/08/yahoo-data-breach-class-action-suits-joined-together-in-san-jose-federal-court/ | title=Yahoo data-breach class-action lawsuits joined together in San Jose federal court | first=Ethan | last=Baron | date=December 8, 2016 | access-date=December 15, 2016 | work=[[Silicon Beat]] | archive-date=December 11, 2016 | archive-url=https://web.archive.org/web/20161211105052/http://www.siliconbeat.com/2016/12/08/yahoo-data-breach-class-action-suits-joined-together-in-san-jose-federal-court/ | url-status=live }}</ref><ref>{{cite web | url=https://www.reuters.com/article/us-verizon-yahoo-breach/yahoo-must-face-litigation-by-data-breach-victims-u-s-judge-idUSKCN1BB25Q | title=Yahoo must face litigation by data breach victims: U.S. judge | first=Jonathan | last=Stempel | date=August 31, 2017 | access-date=August 31, 2017 | work=[[Reuters]] | archive-date=September 1, 2017 | archive-url=https://web.archive.org/web/20170901065505/http://www.reuters.com/article/us-verizon-yahoo-breach/yahoo-must-face-litigation-by-data-breach-victims-u-s-judge-idUSKCN1BB25Q | url-status=live }}</ref> The case was later amended to include the updated breach information following Yahoo's announcement about the August 2013 breach<ref>{{cite web | url = https://www.reuters.com/article/us-verizon-yahoo-breach/data-breach-victims-can-sue-yahoo-in-the-united-states-judge-idUSKCN1GO1TL | title = Data breach victims can sue Yahoo in the United States: judge | first = Jonathan | last = Stempel | date = March 12, 2018 | access-date = March 12, 2018 | publisher = [[Reuters]] | archive-date = March 12, 2018 | archive-url = https://web.archive.org/web/20180312163332/https://www.reuters.com/article/us-verizon-yahoo-breach/data-breach-victims-can-sue-yahoo-in-the-united-states-judge-idUSKCN1GO1TL | url-status = live }}</ref> Before a trial could commence, Verizon and Altaba agreed to split the cost of a $50 million settlement in October 2018 with those in the class action (an estimated 200 million total users), along with providing two years of free credit monitoring.<ref name="abcnews oct settlement">{{cite web | url = https://abcnews.go.com/Technology/wireStory/yahoo-pay-50m-costs-massive-security-breach-58693643 | title = Yahoo to pay $50M, other costs for massive security breach | first = Michael | last = Liedtke | date = October 23, 2018 | access-date = October 23, 2018 | work = [[ABC News]] | archive-date = October 23, 2018 | archive-url = https://web.archive.org/web/20181023215445/https://abcnews.go.com/Technology/wireStory/yahoo-pay-50m-costs-massive-security-breach-58693643 | url-status = live }}</ref> The Judge rejected the settlement offer, questioning the lack of transparency of the details of the settlements, as well as high costs recouped by the lawyers through the settlement.<ref>{{cite web | url = https://www.engadget.com/2019/01/29/judge-tosses-yahoo-data-breach-settlement/ | title = Judge rejects Yahoo's proposed settlement over data breaches | first = Jon | last = Fingas | date = January 29, 2019 | access-date = January 29, 2019 | work = [[Engadget]] | archive-date = January 29, 2019 | archive-url = https://web.archive.org/web/20190129195719/https://www.engadget.com/2019/01/29/judge-tosses-yahoo-data-breach-settlement/ | url-status = live }}</ref> Yahoo agreed to settle for $117.5 million in April 2019, again offering affected users credit monitoring or a cash payout dependent on the number of respondents in the class.<ref>{{cite web | url = https://arstechnica.com/tech-policy/2019/04/yahoo-tries-to-settle-3-billion-account-data-breach-with-118-million-payout/ | title = Yahoo tries to settle 3-billion-account data breach with $118 million payout | first = Jon | last = Brodkin | date = April 10, 2019 | access-date = October 1, 2019 | work = [[Ars Technica]] | archive-date = October 1, 2019 | archive-url = https://web.archive.org/web/20191001162656/https://arstechnica.com/tech-policy/2019/04/yahoo-tries-to-settle-3-billion-account-data-breach-with-118-million-payout/ | url-status = live }}</ref>
+Five of these 23 cases were combined into a single suit in early December 2016.<ref>{{Cite web | url=http://www.siliconbeat.com/2016/12/08/yahoo-data-breach-class-action-suits-joined-together-in-san-jose-federal-court/ | title=Yahoo data-breach class-action lawsuits joined together in San Jose federal court | first=Ethan | last=Baron | date=December 8, 2016 | access-date=December 15, 2016 | work=[[Silicon Beat]] | archive-date=December 11, 2016 | archive-url=https://web.archive.org/web/20161211105052/http://www.siliconbeat.com/2016/12/08/yahoo-data-breach-class-action-suits-joined-together-in-san-jose-federal-court/ | url-status=live }}</ref><ref>{{cite web | url=https://www.reuters.com/article/us-verizon-yahoo-breach/yahoo-must-face-litigation-by-data-breach-victims-u-s-judge-idUSKCN1BB25Q | title=Yahoo must face litigation by data breach victims: U.S. judge | first=Jonathan | last=Stempel | date=August 31, 2017 | access-date=August 31, 2017 | work=[[Reuters]] | archive-date=September 1, 2017 | archive-url=https://web.archive.org/web/20170901065505/http://www.reuters.com/article/us-verizon-yahoo-breach/yahoo-must-face-litigation-by-data-breach-victims-u-s-judge-idUSKCN1BB25Q | url-status=live }}</ref> The case was later amended to include the updated breach information following Yahoo's announcement about the August 2013 breach.<ref>{{cite web | url = https://www.reuters.com/article/us-verizon-yahoo-breach/data-breach-victims-can-sue-yahoo-in-the-united-states-judge-idUSKCN1GO1TL | title = Data breach victims can sue Yahoo in the United States: judge | first = Jonathan | last = Stempel | date = March 12, 2018 | access-date = March 12, 2018 | publisher = [[Reuters]] | archive-date = March 12, 2018 | archive-url = https://web.archive.org/web/20180312163332/https://www.reuters.com/article/us-verizon-yahoo-breach/data-breach-victims-can-sue-yahoo-in-the-united-states-judge-idUSKCN1GO1TL | url-status = live }}</ref> Before a trial could commence, Verizon and Altaba agreed to split the cost of a $50 million settlement in October 2018 with those in the class action (an estimated 200 million total users), along with providing two years of free credit monitoring.<ref name="abcnews oct settlement">{{cite web | url = https://abcnews.go.com/Technology/wireStory/yahoo-pay-50m-costs-massive-security-breach-58693643 | title = Yahoo to pay $50M, other costs for massive security breach | first = Michael | last = Liedtke | date = October 23, 2018 | access-date = October 23, 2018 | work = [[ABC News]] | archive-date = October 23, 2018 | archive-url = https://web.archive.org/web/20181023215445/https://abcnews.go.com/Technology/wireStory/yahoo-pay-50m-costs-massive-security-breach-58693643 | url-status = live }}</ref> The judge rejected the settlement offer, questioning the lack of transparency of the details of the settlements, as well as high costs recouped by the lawyers through the settlement.<ref>{{cite web | url = https://www.engadget.com/2019/01/29/judge-tosses-yahoo-data-breach-settlement/ | title = Judge rejects Yahoo's proposed settlement over data breaches | first = Jon | last = Fingas | date = January 29, 2019 | access-date = January 29, 2019 | work = [[Engadget]] | archive-date = January 29, 2019 | archive-url = https://web.archive.org/web/20190129195719/https://www.engadget.com/2019/01/29/judge-tosses-yahoo-data-breach-settlement/ | url-status = live }}</ref> Yahoo agreed to settle for $117.5 million in April 2019, again offering affected users credit monitoring and a cash payout that depended on the number of respondents in the class.<ref>{{cite web | url = https://arstechnica.com/tech-policy/2019/04/yahoo-tries-to-settle-3-billion-account-data-breach-with-118-million-payout/ | title = Yahoo tries to settle 3-billion-account data breach with $118 million payout | first = Jon | last = Brodkin | date = April 10, 2019 | access-date = October 1, 2019 | work = [[Ars Technica]] | archive-date = October 1, 2019 | archive-url = https://web.archive.org/web/20191001162656/https://arstechnica.com/tech-policy/2019/04/yahoo-tries-to-settle-3-billion-account-data-breach-with-118-million-payout/ | url-status = live }}</ref>
 ===International===
-Foreign governments have also shown concerns on the several data breaches. On October 28, 2016 the European privacy regulators [[Article 29 Data Protection Working Party]] outlined concerns about the 2014 data breach as well as allegations that the company built a system that [[Yahoo!#Storing personal information and tracking usage|scanned customers' incoming emails]] at the request of U.S. intelligence services in a letter<ref>{{cite web|title=ARTICLE 29 Data Protection Working Party Letter To Yahoo!|url=http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2016/20161027__letter_of_the_chair_of_the_art_29_wp_yahoo_en.pdf|access-date=November 2, 2016|archive-date=November 4, 2016|archive-url=https://web.archive.org/web/20161104050113/http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2016/20161027__letter_of_the_chair_of_the_art_29_wp_yahoo_en.pdf|url-status=live}}</ref> to Yahoo.<ref>{{cite news |last1=Drozdiak |first1=Natalia |title=EU Issues Data-Protection Warning to WhatsApp, Yahoo |url=https://www.wsj.com/articles/eu-issues-data-protection-warning-to-whatsapp-yahoo-1477647543 |access-date=23 March 2023 |work=[[The Wall Street Journal]] |date=28 October 2016 |url-access=subscription |id={{ProQuest|1833042031}} |archive-date=January 4, 2017 |archive-url=https://web.archive.org/web/20170104052245/http://www.wsj.com/articles/eu-issues-data-protection-warning-to-whatsapp-yahoo-1477647543 |url-status=live }}</ref> They asked Yahoo to communicate all aspects of the data breach to the EU authorities, to notify the affected users of the "adverse effects" and to cooperate with all "upcoming national data protection authorities' enquiries and/or investigations".<ref>{{cite news|last1=Fioretti|first1=Julia|title=EU data protection watchdogs warn WhatsApp, Yahoo on privacy|date=October 28, 2016 |url=https://www.reuters.com/article/us-eu-dataprotection-whatsapp-yahoo-idUSKCN12S0X5|work=Reuters|access-date=October 29, 2016|archive-date=October 29, 2016|archive-url=https://web.archive.org/web/20161029014210/http://www.reuters.com/article/us-eu-dataprotection-whatsapp-yahoo-idUSKCN12S0X5|url-status=live}}</ref> In late November, Ireland's [[Data Protection Commissioner]], (the lead European regulator on privacy issues for Yahoo because Yahoo's European headquarters are in Dublin, said that it had stepped up its examination of the breach,<ref>{{cite news|last1=Bergin|first1=Tom|title=Irish data regulator steps up Yahoo hack probe, waits on email scanning|date=November 21, 2016 |url=https://www.reuters.com/article/us-yahoo-security-idUSKBN13G23C|work=Reuters|access-date=November 26, 2016|archive-date=November 26, 2016|archive-url=https://web.archive.org/web/20161126071512/http://www.reuters.com/article/us-yahoo-security-idUSKBN13G23C|url-status=live}}</ref> Germany's [[Federal Office for Information Security]] criticized Yahoo following the December 2016 announcement, stating "security is not a foreign concept", and warned government and other German users to seek email and internet solutions from companies with better security approaches.<ref>{{cite web | url=http://fortune.com/2016/12/15/germany-yahoo-hack/ | title=Germany Slams Yahoo Over Cybersecurity Practices | date=December 15, 2016 | access-date=December 15, 2016 | agency=[[Reuters]] | archive-date=December 16, 2016 | archive-url=https://web.archive.org/web/20161216043445/http://fortune.com/2016/12/15/germany-yahoo-hack/ | url-status=live }}</ref>
+Foreign governments have also shown concerns on the several data breaches. In October 2016 the European privacy regulators [[Article 29 Data Protection Working Party]] outlined concerns about the 2014 data breach as well as allegations that the company built a system that [[Yahoo!#Storing personal information and tracking usage|scanned customers' incoming emails]] at the request of U.S. intelligence services in a letter to Yahoo.<ref>{{cite web|title=ARTICLE 29 Data Protection Working Party Letter To Yahoo!|url=http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2016/20161027__letter_of_the_chair_of_the_art_29_wp_yahoo_en.pdf|access-date=November 2, 2016|archive-date=November 4, 2016|archive-url=https://web.archive.org/web/20161104050113/http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2016/20161027__letter_of_the_chair_of_the_art_29_wp_yahoo_en.pdf|url-status=live}}</ref><ref>{{cite news |last1=Drozdiak |first1=Natalia |title=EU Issues Data-Protection Warning to WhatsApp, Yahoo |url=https://www.wsj.com/articles/eu-issues-data-protection-warning-to-whatsapp-yahoo-1477647543 |access-date=23 March 2023 |work=[[The Wall Street Journal]] |date=28 October 2016 |url-access=subscription |id={{ProQuest|1833042031}} |archive-date=January 4, 2017 |archive-url=https://web.archive.org/web/20170104052245/http://www.wsj.com/articles/eu-issues-data-protection-warning-to-whatsapp-yahoo-1477647543 |url-status=live }}</ref> They asked Yahoo to communicate all aspects of the data breach to the European Union authorities, to notify the affected users of the "adverse effects" and to cooperate with all "upcoming national data protection authorities' enquiries and/or investigations".<ref>{{cite news|last1=Fioretti|first1=Julia|title=EU data protection watchdogs warn WhatsApp, Yahoo on privacy|date=October 28, 2016 |url=https://www.reuters.com/article/us-eu-dataprotection-whatsapp-yahoo-idUSKCN12S0X5|work=Reuters|access-date=October 29, 2016|archive-date=October 29, 2016|archive-url=https://web.archive.org/web/20161029014210/http://www.reuters.com/article/us-eu-dataprotection-whatsapp-yahoo-idUSKCN12S0X5|url-status=live}}</ref> Ireland's [[Data Protection Commissioner]], (the lead European regulator on privacy issues for Yahoo because Yahoo's European headquarters are in Dublin), investigated the breach and issued a statement that "Yahoo’s oversight of the data processing operations performed by its data processor did not meet the standard required by EU data protection law" and that "Yahoo did not take sufficient reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law", although no fine was issued.<ref>{{Cite web |title=Data Protection Commission |url=https://www.dataprotection.ie/news-media/press-releases/Data-Protection-Commission-concludes-investigation-into-Yahoo-Data-Breach |access-date=2024-05-27 |website=Data Protection Commission |language=en}}</ref>  Germany's [[Federal Office for Information Security]] criticized Yahoo following the December 2016 announcement, stating "security is not a foreign concept", and warned government and other German users to seek email and internet solutions from companies with better security approaches.<ref>{{cite web | url=http://fortune.com/2016/12/15/germany-yahoo-hack/ | title=Germany Slams Yahoo Over Cybersecurity Practices | date=December 15, 2016 | access-date=December 15, 2016 | agency=[[Reuters]] | archive-date=December 16, 2016 | archive-url=https://web.archive.org/web/20161216043445/http://fortune.com/2016/12/15/germany-yahoo-hack/ | url-status=live }}</ref>
 ==References==

v t e Yahoo!
Websites	oneSearch Yahoo.com Finance News Search Sports Tech
Communication	Mail
Development	Yahoo! Developer Network
Corporate	Yahoo Inc. (owner since 2017) Yahoo! Inc. (owner until 2017) Criticism History Products Timeline Acquisitions
Defunct services	Answers Babel Fish GeoCities Groups Kickstart Kids Maps Messenger Pipes Query Language Smart TV Together Travel View
Related people	David Filo Marissa Mayer Jerry Yang
Related	AOL Altaba Yahoo! China Koprol Maktoob Yahoo! Australia Yahoo! Japan Yahoo! Kimo Yahoo! Korea Yahoo!Xtra Yahoo! Time Capsule
Category