Yahoo data breaches

In 2013 and 2014, the American web services company Yahoo was subjected to two of the largest data breaches on record. Although Yahoo was aware, neither breach was revealed publicly until September 2016.

The 2013 data breach occurred on Yahoo servers in August 2013 and affected all three billion user accounts. The 2014 breach affected over 500 million user accounts. Both breaches are considered the largest ever discovered and included names, email addresses, phone numbers, birth dates, and security questions—both encrypted and unencrypted. When Yahoo made the breaches public in 2016, they acknowledged being aware of the second intrusion since 2014.

These incidents led to the indictment of four individuals linked to the latter breach, including the Canadian hacker Karim Baratov who received a five-year prison sentence and also prompted widespread criticism of Yahoo for their delayed response. The fallout included a U.S. $117.5 million class-action lawsuit settlement, a $35 million fine from the U.S. Securities and Exchange Commission, scrutiny by the United States Congress, and complications for Verizon Communication's 2017 acquisition of Yahoo.