Yahoo sets hack record at 1 billion accounts

A new breach revealed by the troubled internet pioneer compromises twice as many user accounts as the record hack it disclosed in September.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Richard Nieva Former senior reporter
Richard Nieva was a senior reporter for CNET News, focusing on Google and Yahoo. He previously worked for PandoDaily and Fortune Magazine, and his writing has appeared in The New York Times, on CNNMoney.com and on CJR.org.
Laura Hautala
Richard Nieva
3 min read
Watch this: Yahoo hit by biggest hack ever (again), 1 billion accounts affected

It seems Yahoo has outdone itself.

The company said Wednesday that it was hit by yet another hacking attack, this time affecting more than 1 billion user accounts. That's double the number affected by a hack revealed in September.

The hack occurred in August 2013. Stolen data included users' names, email addresses, telephone numbers, dates of birth, and encrypted passwords. Those passwords are scrambled up with an encryption tool called MD5, which experts say is possible to crack with some patience. The data also included some security questions and answers, some of which weren't encrypted.


Marissa Mayer joined Yahoo in 2012 as its CEO.

Stephen Lam, Getty Images

"Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords," the company said in a statement. "Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account."

Among the victims are more than 150,000 US government and military employees, presenting a threat to national security, according to a Bloomberg report. The accounts belong to current and former White House staff, congressmen and their aides, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the Office of the Director of National Intelligence, and each branch of the US military.

The breach is another black eye for Chief Executive Marissa Mayer, who joined Yahoo in 2012 amid great fanfare. The former Google executive was charged with turning Yahoo around and tried to bring the lumbering company into the smartphone era. She made big bets on mobile, refreshing all of the company's mobile apps, but Yahoo hasn't been able to make much money off her projects.

The announcement caps off a rough few months for the troubled tech giant and leaves another blemish on a company seeking to sell itself to Verizon. When Yahoo announced a separate data breach in September, in which hackers in 2014 swiped user information from half a billion accounts, it was said to be the biggest cybersecurity breach ever.

Two weeks later, the company again came under fire after a report said Yahoo built tools to surveil customers' emails for US intelligence officials.

All the while, Yahoo has been awaiting its fate with Verizon, which agreed to buy the company for $4.8 billion in July. The deal is set to close in the first quarter of next year, but Yahoo's disclosure of the previous hack had given Verizon executives pause about the deal.

"We are confident in Yahoo's value and we continue to work toward integration with Verizon," a Yahoo spokeswoman said Wednesday.

Verizon issued a statement that didn't say whether the news of the hack would have an impact on the acquisition. "As we've said all along, we will evaluate the situation as Yahoo continues its investigation," Verizon's statement read. "We will review the impact of this new development before reaching any final conclusions."

Sumit Argawal, co-founder and vice president of product at cybersecurity company Shape Security, said the increasingly damaging hacks that Yahoo has announced fit a clear pattern in companies that don't have their security locked down. Often, he said, companies and organizations start by describing their cybersecurity woes in small terms but keep adding new casualties to the list.

"When entities have mediocre security hygiene, they inevitably end up having lost the keys to a much larger kingdom than we originally thought," Argawal said.

The personal information hackers stole could be used in combination with other hacked data, he added. If a criminal already has a credit card number, he might be able to use the stolen Yahoo data to find the answers to security questions that go along with it, for example.

Yahoo also said in its statement that hackers stole the software it uses to create cookies, the browser tools that can let someone enter an account without a password. Yahoo said it believes that hacking may be related to the same state-sponsored hacking group it suspects is responsible for the 2014 hack.

Dmitri Sirota, CEO of data protection company BigID, said high profile individuals with Yahoo accounts might have been the real target of the hack.

"The reality is within that billion users, there's probably a couple politicians, a few celebrities, a few people in key industries," Sirota said.

Updated 10:32 a.m. PT to clarify that Yahoo doesn't know who stole its data in the 2013 breach of 1 billion user records.