Due to systemic failures in its cyber security systems, between 2012 and 2016, Yahoo suffered a series of system hacks by organised crime groups. This page explains how the Yahoo data breaches happened.
In 2018, the Information Commissioner’s Office fined Yahoo £250,000 over a hack that affected more than 515,000 UK email accounts.
The fine related to a 2014 Russian state-sponsored cyber-attack, which resulted in personal data being stolen from over 500 million Yahoo user accounts worldwide. Despite evidence that the firm knew about the hack soon after it happened, the data breach wasn’t reported until September 2016.
Due to poor data security practices at Yahoo, cybercriminals managed to steal data from millions of Yahoo customers. This included:
Around July 2016, the personal data of around 200 million Yahoo accounts were put up for sale on the dark web.
Yahoo also reported that hackers likely used manufactured web cookies to falsify login credentials. This meant they could gain access to any account without a password.
In 2017, the FBI officially charged four men, including two that worked for Russia’s Federal Security Service (FSB) with the breach.
Following the Yahoo data breach, the Information Commissioner’s Office (ICO) investigated the privacy violation. While people in many different countries were involved, the ICO investigation focused on UK accounts that were co-branded Sky and Yahoo, and which the London-based branch of Yahoo had responsibility for.
Following its inquiry, the ICO found that Yahoo had “failed to prevent” the hack. It condemned “inadequacies” at Yahoo. Inadequacies that had existed for some time without being “discovered or addressed”. The investigation also found that:
According to an ICO spokesperson: “The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”
As a result, the ICO imposed a £250,000 fine on Yahoo. However, this represented less than 0.4% of Yahoo UK’s 2016 gross profit.
If you had a Yahoo account between January 1, 2012 and December 31, 2016 you could have been affected by this data violation.
The 2013 Yahoo data breach was a separate from the 2014 incident. This hack was conducted by an “unauthorized third party”, and the data accessed was similar to that compromised in the 2014 breach. This violation involved three billion user accounts.
In September 2019, Yahoo agreed to a $117.5 million settlement with the millions of users whose personal information was stolen in what was dubbed the “largest data breach in history”. The money was only available to people who lived in the US and Israel.