In September 2016, Yahoo coped with a breach of 500 million user records, making it one of the top five biggest data breaches in history. It is only Yahoo’s second biggest. Russian cybercriminals were in possession of hundreds of millions of Yahoo accounts as early as September of that year. They sold the accounts en masse on the Dark Web at a price tag of $300,000. It was later discovered that this breach, and the data sold by the group, were inconsistent. Another entirely separate breach, which compromised three billion accounts, turned out to be four times larger than the second largest data breach in history.
By that point, yet more cybercriminal entities and intelligence agencies belonging to at least three separate nations had been running loose inside Yahoo’s IT systems for years. This unprecedented breadth of Yahoo’s security failures might have served as a wake-up call for the cybersecurity industry. Instead, experts warn that the underlying issues that enabled those events are still very much present in the Internet of 2024.
“Although the Yahoo breaches occurred 10 and nine years ago, most organizations worldwide are as susceptible as Yahoo to three core issues,” according to Jason Casey, CEO of Beyond Identity. The means of the second attack by Russian hacker Alexsey Belan involved a standard phishing email to a mid-level employee. Yahoo had encrypted some of its users’ passwords with the defunct MD5 algorithm, and some security questions were left unencrypted. The company also lacked commitment to protecting customers and governance of corporate security concerns.
One crucial part of Yahoo’s story is how companies now handle data privacy and corporate accountability. The SEC requires companies to disclose such breaches within four days of discovery. “The SEC’s action against Yahoo for failing to adequately disclose the breach was a watershed moment. It underscored the importance of transparency and stakeholder communication during cyber incidents,” says AJ Yawn, partner-in-charge of product and innovation at Armanino.