The Yahoo Breaches of 2013 and 2014
Neil Daswani, Moudy Elbayadi
Abstract
In 2016, Yahoo disclosed to the public that it had been breached in 2014. Yahoo’s 2014 breach exposed the names, email addresses, telephone numbers, birthdates, “hashed” passwords, and, in some cases, security questions of over 500 million users. While investigating the breach of 2014, Yahoo discovered that the company had been separately breached in 2013. Yahoo initially reported that the 2013 breach affected over one billion users while it was in the process of getting acquired by Verizon. In October 2017, after its acquisition by Verizon was complete, Yahoo reported that the 2013 breach affected all three billion users. Figure 7-1 shows a timeline of these breaches and the major events that occurred after the breaches. Yahoo was questioned and criticized for disclosing the breaches two to three years after they occurred. During a Senate hearing that took place in the aftermath of the breaches, frustrated Senator Thune of South Dakota asked former Yahoo CEO Marissa Mayer, “Why the delay in disclosing it? I mean it took from 2013, three years.”