Yahoo hit in worst hack ever, 500 million accounts swiped

The internet company, being bought by Verizon, says a state-sponsored actor stole email addresses, passwords and birth dates. Change your passwords. Now.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Alfred Ng
Laura Hautala
4 min read
Watch this: 500 million Yahoo accounts stolen

Hackers swiped personal information associated with at least a half billion Yahoo accounts, the internet giant said Thursday, marking the biggest data breach in history.

The hack, which took place in 2014, revealed names, email addresses, phone numbers, birth dates and, in some cases, security questions and answers, Yahoo said in a press release. Encrypted passwords, which are jumbled so only a person with the right passcode can read them, were also taken.

The internet pioneer, which is in the process of selling itself to Verizon, said it's "working closely" with law enforcement. It called the hackers a "state-sponsored actor," though it didn't identify a country behind the breach.

Yahoo urged users to change their passwords if they haven't since 2014. The company has 1 billion monthly active users for all its internet services, which span finance, online shopping and fantasy football. Its mail service alone has about 225 million monthly active users, Yahoo told CNET in June.

The hack serves as a reminder of how widespread hacking is and highlights the vulnerability of passwords. Cybersecurity specialists recommend using a different password for each account you have on the internet. Other experts are working on alternatives to passwords, such as biometrics like your fingerprint or retina.

"Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud," said Brett McDowell, executive director of the FIDO Alliance, an organization that vets the security of password alternatives. "We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether."


The breach has exposed at least 500 million accounts' names, email addresses, phone numbers and dates of birth. In some cases, security questions and answers too.

Justin Sullivan, Getty Images

Verizon, which is paying $4.83 billion for Yahoo, said it was notified of the massive breach within the last two days. The telecommunications giant had "limited information and understanding of the impact," according to a statement.

"We will evaluate, as the investigation continues, through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities," Verizon said.

B. Riley & Co. analyst Sameet Sinha told The Wall Street Journal the breach was unlikely to affect the sale to Verizon.

Virginia Sen. Mark Warner, a member of the newly formed Senate Cybersecurity Caucus, criticized Yahoo for not discovering the breach when it originally happened in 2014.

"While we have seen more and more data breaches in the private sector in recent years, many of them affecting millions of consumers, the seriousness of this breach at Yahoo is huge," Warner said.

The Privacy Rights Clearinghouse, a nonprofit organization that tracks cybersecurity breaches, said the hack was the largest-ever publicly disclosed breach.

Yahoo has taken steps to protect its users, including invalidating security questions and answers, but the real risk lies in hackers using the passwords on other websites.

"We typically see a 0.1 percent to 2 percent log-in success rate from credential stuffing attacks, meaning that a cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most websites," said Shuman Ghosemajumder, Google's former click-fraud czar and CTO of Shape Security.

Facebook co-founder Mark Zuckerberg's Twitter account was hacked using a similar method after the passwords of more than 100 million LinkedIn members were leaked.

It will take Yahoo at least several months before it starts regaining users' trust, according to research from Alertsec. The encryption provider did a study that found about 97 percent of Americans lose trust in companies like Yahoo after massive data breaches.

"When a company has allowed their customers' data to fall into the hands of criminals, the resulting lack of trust is difficult to repair," CEO Ebba Blitz said in a statement.

On August 1, a hacker named "Peace" claimed to have breached 200 million Yahoo usernames and passwords from a hack in 2012, and offered to sell them on the dark web after trying to do the same with MySpace and LinkedIn accounts.

A person familiar with the situation said Peace's assertion prompted Yahoo to initiate an internal investigation. That investigation found no evidence that substantiated Peace's claim, but the investigating team found indications that a state-sponsored actor had stolen data in 2014.

Former Yahoo information security officer Jeremiah Grossman, now chief of security strategy at SentinelOne, said that internet companies, especially giants like Yahoo, face challenges protecting enormous computer networks because the networks offer so many points of entry to attackers.

"It's unsurprising when breaches, even of this magnitude, take place," Grossman said. "Yahoo certainly isn't the first. And they won't be the last."

This story was originally published at 6:30 a.m. PT.
Updates, 10:20 a.m., 12:09, 12:41, 2:08, 2:30, 3:10, 4:15 and 4:42 p.m. PT: Added details of the 2012 hack that affected Yahoo, LinkedIn and MySpace, and added statements from Yahoo and Verizon, and analysis from experts.