Yahoo data breaches

Both breaches are considered the largest ever discovered and included names, email addresses, phone numbers, birth dates, and security questions—both encrypted and unencrypted.

These incidents led to the indictment of four individuals linked to the latter breach, including the Canadian hacker Karim Baratov who received a five-year prison sentence and also prompted widespread criticism of Yahoo for their delayed response.

[5] A year after Yahoo was identified by the American whistleblower Edward Snowden as a frequent target for state-sponsored hackers in 2013, the company hired a dedicated chief information security officer, Alex Stamos.

[13] Yahoo stated it was aware of the data and was evaluating it, cautioning users about the situation but did not reset account passwords at that time.

Yahoo's actions to deal with the breach included invalidating unencrypted security questions and answers and asking potentially affected users to change their passwords.

[19] The November filing noted that the company believed one of the data breaches had been conducted through a cookie-based attack that allowed hackers to authenticate as any other user without their password.

[23] Yahoo's internal review of the situation found that Mayer and other key executives knew of the intrusions but failed to inform the company or take steps to prevent further breaches.

The review led to the resignation of the company's General Counsel, Ronald S. Bell by March 2017, and Mayer's $12 million equity compensation and bonus for 2016 and 2017 was pulled.

[24] On March 15, 2017, the FBI charged four men with the 2014 breach, including two that were working for Russia's Federal Security Service (FSB).

The FBI claimed that Dokuchaev and Sushchin paid Karim Baratov to use data obtained by the Yahoo breaches to break into about 80 non-Yahoo accounts of specific targets.

[31] Yahoo's delay in discovering and reporting these breaches, as well as implementing improved security features, has been roundly criticized at all levels.

[32] Before the announcement of the breaches Verizon Communications had entered into negotiations and approval to purchase a portion of the Yahoo properties for $4.8 billion, with the deal set to close in March 2017.

[50] Yahoo agreed to settle for $117.5 million in April 2019, again offering affected users credit monitoring and a cash payout that depended on the number of respondents in the class.

Marissa Mayer , who was CEO of Yahoo at the time of the breaches, at the World Economic Forum 2013
Russian FSB agent Dmitry Dokuchaev who has been charged with the breach by the FBI