Yahoo! data breaches
This article needs to be updated.(December 2017)
The Internet service company Yahoo! was subject to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.
Yahoo! has been criticized for their late disclosure of the breaches and their security measures, and is currently facing several lawsuits as well as investigation by members of the United States Congress. The breaches impacted Verizon Communications's July 2016 plans to acquire Yahoo! for about $4.8 billion, which resulted in a decrease of $350 million in the final price on the deal closed in June 2017.
July 2016 discovery
Around July 2016, account names and passwords for about 200 million Yahoo! accounts were presented for sale on the darknet market site, "TheRealDeal". The seller, known as "Peace_of_Mind" or simply "Peace", stated in confidential interviews with Vice and Wired, that he had the data for some time and had been selling it privately since about late 2015. Peace has previously been connected to sales of similar private information data from other hacks including that from the 2012 LinkedIn hack. Peace stated the data likely dates back to 2012, and security experts believed it may have been parts of other data hacks at that time; while some of the sample accounts were still active, they lacked necessary information to fully login properly, reflecting their age. Experts believe that Peace is only a broker of the information that hackers obtain and sell through him. Yahoo! stated they were aware of the data and were evaluating it, cautioning users about the situation but did not reset account passwords at that time.
Late 2014 breach
The first reported data breach in 2016 had taken place sometime in late 2014, according to Yahoo! The hackers had obtained data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers. Security experts noted that the majority of Yahoo!'s passwords used the bcrypt hashing algorithm, which is considered difficult to crack, with the rest using the older MD5 algorithm, which can be broken rather quickly.
Such information, especially security questions and answers, could help hackers break into victims' other online accounts. Computer security experts cautioned that the incident could have far-reaching consequences involving privacy, potentially including finance and banking as well as personal information of people's lives, including information pulled from any other accounts that can be hacked with the gained account data. Experts also noted that there may be millions of people with Flickr, Sky and/or BT accounts who do not realize that they indirectly have a Yahoo! account as a result of past acquisitions and agreements made with Yahoo!, or even Yahoo! users who stopped using their accounts years earlier.
Yahoo! reported the breach to the public on September 22, 2016. Yahoo! believes the breach was committed by "state-sponsored" hackers, but did not name any country. Yahoo! affirmed the hacker was no longer in their systems and that the company was fully cooperating with law enforcement. The Federal Bureau of Investigation (FBI) confirmed that it was investigating the affair.
In its November 2016 SEC filing, Yahoo! reported they had been aware of an intrusion into their network in 2014, but had not understood the extent of the breach until it began investigation of a separate data breach incident around July 2016. Wired believes this separate data breach involved the Peace data from July 2016. Yahoo!'s previous SEC filing on September 9, prior to the breach announcement, had stated that it was not aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.
The November 2016 SEC filing noted that the company believed the data breach had been conducted through a cookie-based attack that allowed hackers to authenticate as any other user without their password. Yahoo! and its outside security analysts confirmed this was the method of intrusion in their December 2016 announcement of the August 2013 data breach, and had invalidated all previous cookies to eliminate this route. In a regulatory filing in 2017, Yahoo! reported that 32 million accounts were accessed through this cookie-based attack through 2015 and 2016. Multiple experts believe that the security breach was the largest such incident made public in the history of the Internet at the time.
August 2013 breach
The first data breach occurred on Yahoo! servers in August 2013; Yahoo! stated this was a separate breach from the late 2014 one and was conducted by an "unauthorized third party". Similar data as from the late 2014 breach had been taken from over 1 billion user accounts, including unencrypted security questions and answers. Yahoo! reported the breach on December 14, 2016, and forced all affected users to change passwords, and to reenter any unencrypted security questions and answers to make them encrypted in the future. In February 2017, Yahoo! notified some users that data from the breach and forged cookies could have been used to access these accounts. This breach is now considered the largest known breach of its kind on the Internet. In October 2017, Yahoo! updated its assessment of the hack, and stated that it believes all of its 3 billion accounts at the time of the August 2013 breach were affected.
According to Yahoo! this new breach was discovered while it was reviewing data given to them from law enforcement from an unnamed third-party hacker about a month prior. They had been able to identify the method by which data were taken from the last 2014 hack using fake cookies during this investigation, but the method of the August 2013 breach was not clear to them upon their announcement. Andrew Komarov, chief intelligence officer of the cybersecurity firm InfoArmor, had been helping Yahoo! and law enforcement already in response to the Peace data. In trying to track down the source of Peace's data, he discovered evidence of this latest breach from a dark web seller offering a list of more than one billion Yahoo! accounts for about $300,000 in August 2015. While two of the three buyers of this data were found to be underground spammers, the third buyer had specifically asked the seller of the Yahoo! data to affirm if ten names of United States and foreign government officials were on the offered list and information associated with them. Suspecting that this buyer may have been related to a foreign intelligence agency, Komarov discovered that the offered data included the accounts of over 150,000 names of people working for the United States government and military, as well as additional accounts associated with European Union, Canadian, British, and Australian governments. Komarov alerted the appropriate agencies about this new data set and began working with them directly. Komarov noted that while U.S. government policies have changed to keep key intelligence employees as low-key as possible, these affected users likely set up Yahoo! accounts for personal use well before such policies were in place, and included their work details as part of their profiles, making this information highly valuable for foreign intelligence groups. Komarov had opted not to go to Yahoo! about the data, as they had previously been dismissive of InfoArmor's services in the past, and Komarov believed that Yahoo! would not thoroughly investigate the situation as it would threaten their Verizon buyout.
In addition to government issues, Komarov and other security firms warned that the data from this breach can be used to attempt access to other accounts, since it included backup email contact addresses and security questions. Such data, these experts warn, could be used to create phishing attacks to lure users into revealing sensitive information which can then be used for malicious purposes. Hold Security, another cybersecurity firm, observed that some darkweb sellers were still selling this database for up to $200,000 as late as October 2016; Komarov found that the data continues to be available at a much lower price since the passwords have been forced changed, but the data can still be valuable for phishing attacks and gaining access to other accounts.
Attribution and motivation
According to Yahoo!, the 2014 breach was carried out by a "state-sponsored actor" and the organization claims that such "intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry". While Yahoo! did not name any country, some suspect China or Russia to be behind the hack, while others doubt Yahoo's claim of any state actor.
U.S. intelligence officials, who declined to give their names to the media, highlighted similarities between the attack and previous breaches linked to the Russian government. Yahoo! in fall 2014 detected what it believed was a small breach "involving 30 to 40 accounts", carried out by hackers believed to be "working on behalf of the Russian government", according to Yahoo! executives, because it was launched from computers in that country. Yahoo! reported the incident to the FBI in late 2014 and notified affected users.
Sean Sullivan, a security adviser at cyber security firm F-Secure Labs, declared China to be his top suspect and said that "there have been no past cases of a service provider like Yahoo! being targeted [by Russia]," whose hackers tend to perpetrate targeted attacks, either in areas important for their economy, such as the energy sector, or to undermine politicians, while "China likes to vacuum up all kinds of information" and "has a voracious appetite for personal information". Examples of state-sponsored data breaches with China in suspicion include the massive data breach of 18 million people from the United States Office of Personnel Management and the attacks on Google in 2010, dubbed Operation Aurora.
Others expressed doubt about Yahoo's claim of the attack being state-sponsored, as it would be less embarrassing for Yahoo! to attribute an attack to a nation state, which typically have the most sophisticated hacking capabilities, than to attribute it to a cybercriminal group or individual—particularly as Yahoo! was in the middle of being acquired by Verizon. Senior research scientist Kenneth Geers from Comodo, however, noted that "Yahoo! is a strategic player on the World Wide Web, which makes it a good—and valid—target for nation-state intelligence collection". One of the effects, if not the direct goal, of the breaches was the use of the stolen usernames and passwords for credential stuffing attacks.
InfoArmor issued a report that challenged Yahoo's claim that a nation-state orchestrated the heist after reviewing a small sample of compromised accounts. InfoArmor had been able to obtain the list of affected accounts for analysis. InfoArmor determined that the breach was likely the work of an Eastern European criminal gang that later sold the entire hacked database to at least three clients, including one state-sponsored group. According to InfoArmor, by early 2015, the group no longer offered to sell the full database, but sought "to extract something from the dump for significant amounts of money." The report noted that it was difficult to determine who the ultimate mastermind of a hack might be, as criminal hackers sometimes provide information to government intelligence agencies or offer their services for hire. Komarov said the hackers may be related to Group E, who have had a track record of selling stolen personal data on the dark web, primarily to underground spammers, and were previously linked to breaches at LinkedIn, Tumblr, and MySpace. InfoArmor had linked Group E as the source of the data that were offered by Peace, and believed that Group E was brokering the data to dark web sellers. While InfoArmor did not believe a state-sponsored agency committed the breach, they warned of implications on foreign intelligences, as the breaches "opens the door to significant opportunities for cyber-espionage and targeted attacks," and may be the key in several targeted attacks against U.S. government personnel, which resulted after the disclosed contacts of the affected high-level officials of intelligence community in October 2015.
Yahoo! stated that the 2013 breach is connected "to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016." White House spokespersons stated that the FBI is currently investigating this breach, though the scope of its impact is unclear. A United States official, speaking to CBS News, says that government investigators agree with Yahoo! that the hack was sponsored by a foreign state, possibly Russia. Security experts speculate that because little of the data from this 2013 breach have been made available on the black market, the breach was likely targeted to find information on specific people.
On March 15, 2017, the FBI officially charged the 2014 breach to four men, including two that work for Russia's Federal Security Service (FSB). In its statement, the FBI said "The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI's point of contact in Moscow on cybercrime matters, is beyond the pale." The four men accused include Alexsey Belan, a hacker on the FBI Ten Most Wanted Fugitives list, FSB agents Dmitry Dokuchaev and Igor Sushchin who the FBI accused of paying Belan and other hackers to conduct the hack, and Canadian hacker Karim Baratov who the FBI claimed was paid by Dokuchaev and Sushchin to use data obtained by the Yahoo! breaches to breach into about 80 non-Yahoo! accounts of specific targets. Baratov, the only man currently arrested, was extradited to the United States, though had claimed not guilty to the charges in August 2017. However, he later pled guilty, admitting to hacking into at least 80 email accounts on behalf of Russian contacts. He was charged with nine counts of hacking, and in May 2018 sentenced to 5 years in prison and ordered to pay US$2.25 million and restitution to his victims.
Legal and commercial responses
Yahoo!'s delay in discovering and reporting these breaches, as well as implementing improved security features, has become a point of criticism. Yahoo! has been taken to task for having a seemingly lax attitude towards security: the company reportedly does not implement new security features as fast as other Internet companies, and after Yahoo! was identified by Edward Snowden as a frequent target for state-sponsored hackers in 2013, it took the company a full year before hiring a dedicated chief information security officer, Alex Stamos. While Stamos' hiring was praised by technology experts as showing Yahoo!'s commitment towards better security, Yahoo! CEO Marissa Mayer had reportedly denied Stamos and his security team sufficient funds to implement recommended stronger security measures, and he departed the company by 2015. Experts have pointed out that Yahoo!, only until the most recent breaches, had not forced affected users to change their passwords, a move that Mayer and her team believed would drive users away from the service. Some experts stated that implementing stronger security measures does take monetary resources, and Yahoo!'s financial situation has not allowed the company to invest in cybersecurity.
Yahoo!'s internal review of the situation found that Mayer and other key executives knew of the intrusions but failed to inform the company or take steps to prevent further breaches. The review led to the resignation of the company's principle lawyer, Ronald S. Bell by March 2017, and Mayer's equity compensation bonus for 2016 and 2017 was pulled.
Verizon Communications merger deal
In July 2016, prior to the announcement of the breaches Verizon Communications had entered into negotiations and approval to purchase a portion of the Yahoo! properties for $4.8 billion, with the deal set to close in March 2017. Verizon had only become aware of the 2014 breach just two days prior to the Yahoo! September announcement. CEO Lowell McAdam said he wasn't shocked by the hack, saying "we all live in an internet world, it's not a question of if you're going to get hacked but when you are going to get hacked". He left the door open to possibly renegotiate the $4.83 billion price tag. Craig Silliman, Verizon's general counsel told reporters in Washington Verizon has "a reasonable basis to believe right now that the impact is material" and that they're "looking to Yahoo to demonstrate [...] the full impact". The company's reputation has suffered online in the last few months, according to an analysis by marketing firm Spredfast: about 90 percent of the Twitter comments about Yahoo! were negative in October, up from 68 percent in August, before news of the hack. Following the announcement of the August 2013 breach, Verizon was reportedly seeking to change terms of the deal to reflect on the impact of these breaches, including lowering their offer or potentially seeking court action as to terminate the deal. Verizon stated that they will "review the impact of this new development before reaching any final conclusions". In February 2017, Verizon and Yahoo! announced that the deal will still go forward, but dropping the sale price by $350 million, down to $4.48 billion. The deal officially closed at this reduced price in June 2017, with Mayer stepping down as CEO following the closure. Verizon and Yahoo! will share jointly in the ongoing costs for the government investigation of the breaches under this new term. The remaining properties of Yahoo! not purchased by Verizon, which included the Alibaba Group, were renamed to Altaba in June 2017.
United States government
Members of the U.S. Government have been critical of Yahoo!'s reactions to these breaches. In a letter to Yahoo! CEO Marissa Mayer, six Democratic U.S. Senators (Elizabeth Warren, Patrick Leahy, Al Franken, Richard Blumenthal, Ron Wyden and Ed Markey) demanded answers on when Yahoo! discovered the last 2014 breach, and why it took so long to disclose it to the public, calling the time lag between the security breach and its disclosure 'unacceptable'. On September 26, 2016 democratic senator Mark Warner asked the U.S. Securities and Exchange Commission (SEC) to investigate whether Yahoo! and its senior executives fulfilled their obligations under federal securities laws to properly disclose the attack. In his letter, Warner also asked the SEC to evaluate whether the current disclosure regime was adequate. Jacob Olcott, who helped develop the SEC data breach disclosure rules and former Senate Commerce Committee counsel, noted that due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo's discovery, the hack could become a test case of the SEC's guidelines. Following the announcement of the August 2013 breach, Sen. Warner called for a full investigation of the situation, asking "why its cyber defenses have been so weak as to have compromised over a billion users". In April 2018, the SEC announced that it had reached a deal with Altaba, the company that holds the assets of Yahoo! not purchased by Verizon, for US$35 million for failure to disclose the 2014 breach in a timely manner.
Class action lawsuits
By November 9, 2016, it was reported that 23 lawsuits related to the late 2014 breach had been filed against Yahoo! so far. In one lawsuit, filed in the U.S. District Court for the Southern District of California in San Diego, the plaintiffs contend that the hack caused an "intrusion into personal financial matters." In another lawsuit, filed in the U.S. District Court for the Northern District of California in San Jose, the plaintiff contends that Yahoo! acted with gross negligence in dealing with and reporting the security breach. Yahoo! declined to comment on ongoing litigation. Five of these 23 cases were combined into a single suit in early December 2016 to be heard in San Jose in March 2017. The presiding judge authorized the class-action lawsuit to go forward in August 2017, citing that those affected by the breach had the right to sue Yahoo! for breach of contract and unfair competition claims made in the original filing. The case was later amended to include the updated breach information following Yahoo!'s announcement about the August 2013. By March 2018, Verizon, which had completed its acquisition of Yahoo!, sought to dismiss much of the case, but Judge Lucy H. Koh refused, allowing claims related to breach of contract and negligence to be tried in the trial. Before trial could commence, Verizon and Altaba agreed to split the cost of a US$50 million settlement in October 2018 with those in the class action (an estimated 200 million total users), along with providing two years of free credit monitoring through AllClear ID, pending approval by Judge Koh. In the settlement, those that can document identity theft damage from the breach can seek up to US$375 from the settlement, otherwise, those with known affected Yahoo accounts can seek up to US$125. Judge Koh rejected the settlement offer, questioning the lack of transparency of the details of the settlements, as well as high costs recouped by the lawyers through the settlement. Yahoo! eventually agreed to settle for $117.5 million in April 2019, again offering affected users credit monitoring or a cash payout dependent on the number of respondents in the class.
Following the December 14 announcement of the August 2013 hacks, another class-action lawsuit was filed against Yahoo! in New York state on behalf of all affected United States residents, stating that "Yahoo! failed, and continues to fail, to provide adequate protection of its users' personal and confidential information."
Foreign governments have also shown concerns on the several data breaches. On October 28, the European privacy regulators "Article 29 Working Party" outlined concerns about the 2014 data breach as well as allegations that the company built a system that scanned customers' incoming emails at the request of U.S. intelligence services in a letter to Yahoo. They asked Yahoo! to communicate all aspects of the data breach to the EU authorities, to notify the affected users of the "adverse effects" and to cooperate with all "upcoming national data protection authorities' enquiries and/or investigations". In late November, Ireland's Data Protection Commissioner (DPC), the lead European regulator on privacy issues for Yahoo! whose European headquarters are in Dublin, said that it had stepped up its examination of the breach, that it was awaiting information from Yahoo! on allegations that it helped the U.S. government scan users' emails, and that Yahoo! was not investigating the breach but just examining it. Germany's Federal Office for Information Security criticized Yahoo! following the December 2016 announcement, stating "security is not a foreign concept", and warned government and other German users to seek email and Internet solutions from companies with better security approaches.
- 2012 Yahoo! Voices hack
- Corporate warfare
- Database security
- Information security
- Internet security
- List of data breaches
- Multi-factor authentication
- Security hacker
- Web literacy
- Cook, James (October 16, 2020). "British Airways fined £20m for data breach affecting 400,000 customers". The Telegraph. ISSN 0307-1235. Retrieved October 17, 2020.
- Perlroth, Nicole (September 22, 2016). "Yahoo Says Hackers Stole Data on 500 Million Users in 2014". The New York Times. Retrieved September 22, 2016.
- Goel, Vindu (December 14, 2016). "Yahoo Says 1 Billion User Accounts Were Hacked". The New York Times. Retrieved December 14, 2016.
- McMillan, Robert; Knutson, Ryan (October 3, 2017). "Yahoo Triples Estimate of Breached Accounts to 3". The Wall Street Journal. Retrieved October 3, 2017.
- "Yahoo 'state' hackers stole data from 500 million users". BBC News. September 23, 2016. Retrieved September 23, 2016.
- "Yahoo discovered hack leading to major data breach two years before it was disclosed". The Washington Post. Retrieved November 10, 2016.
- "Yahoo knew of 'state-backed' hack in 2014". BBC. Retrieved November 10, 2016.
- Newman, Lily Hay (December 14, 2016). "Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion". Wired. Retrieved December 15, 2016.
- Gammarays (January 16, 2009). "A Post-mortem of Yahoo! Account Security". Exploit Database. Retrieved February 16, 2020.
- Goel, Vindu (February 21, 2017). "Verizon Will Pay $350 Million Less for Yahoo (Published 2017)". The New York Times. ISSN 0362-4331. Retrieved November 8, 2020.
- Cox, Joseph. "The Administrator of the Dark Web's Infamous Hacking Market Has Vanished". Vice Motherboard. Retrieved September 22, 2016.
- Szoldra, Paul. "The dark web marketplace where you can buy 200 million Yahoo accounts is under cyberattack". Business Insider. Retrieved September 22, 2016.
- Cox, Joseph (August 1, 2016). "Yahoo 'Aware' Hacker Is Advertising 200 Million Supposed Accounts on Dark Web". Vice. Retrieved December 16, 2016.
- Greenberg, Andy. "An Interview With the Hacker Probably Selling Your Password Right Now". WIRED. Retrieved September 22, 2016.
- Szoldra, Paul. "A cybersecurity firm is telling two very different stories of the Yahoo hack to news organizations". Retrieved October 15, 2016.
- Brian, Womack. "Yahoo Says at Least 500 Million Accounts Breached in Attack". Bloomberg L.P. Retrieved September 22, 2016.
- Cox, Joseph. "Yahoo 'Aware' Hacker Is Advertising 200 Million Supposed Accounts on Dark Web". Vice Motherboard. Retrieved September 25, 2016.
- Greenberg, Andy (September 22, 2016). "Hack Brief: Yahoo Breach Hits Half a Billion Users". Wired. Retrieved December 15, 2016.
- Newcomb, Alyssa (September 22, 2016). "Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts". NBC News. Retrieved September 22, 2016.
- "Account Security Issue FAQs". Yahoo!. Retrieved September 23, 2016.
- Goodin, Dan (September 22, 2016). "Yahoo says half a billion accounts breached by nation-sponsored hackers". Ars Technica. Retrieved December 15, 2016.
- "Yahoo says 'state-sponsored' hack stole personal data from 500m accounts". The National. Retrieved September 25, 2016.
- Weise, Elizabeth. "Are you a Yahoo user? Do this right now". USA Today. Retrieved September 25, 2016.
- Brown, Aaron. "If you're a Sky or BT customer – you need to reset your password NOW after Yahoo hack". Sunday Express. Retrieved September 25, 2016.
- Isidore, Chris. "You could have a Yahoo account without even knowing it". CNN. Retrieved September 25, 2016.
- Joseph, Rebecca. "Here's what you need to know about the Yahoo hack". GlobalNews. Retrieved September 25, 2016.
- Griffin, Andrew. "Yahoo hack: Hundreds of millions of people probably don't know they are part of the world's biggest data breach". The Independent. Archived from the original on May 7, 2022. Retrieved September 25, 2016.
- Tsukayama, Hayley; Timberg, Craig; Fung, Brian (September 22, 2016). "Yahoo confirms data breach affecting at least 500 million accounts". The Washington Post. Retrieved September 22, 2016.
- "Yahoo confirms data breach affecting at least 500 million accounts". The Washington Post. September 22, 2016. Retrieved September 22, 2016.
- "Yahoo Employees Knew in 2014 About State-Sponsored Hacker Attack". The New York Times. Retrieved November 10, 2016.
- McMillan, Robert. "Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says". The Wall Street Journal. Retrieved October 15, 2016.
- Vaas, Lisa. "Yahoo staff knew they were breached two years ago". Naked Security. Retrieved December 12, 2016.
- "Yahoo Security Notice December 14, 2016". Yahoo!. December 14, 2016. Retrieved February 17, 2017.
- Lawler, Richard (March 1, 2017). "Yahoo hackers accessed 32 million accounts with forged cookies". Engadget. Retrieved March 1, 2017.
- Larson, Selena (September 23, 2016). "Yahoo facing lawsuits in the wake of massive data breach". CNN. Retrieved September 25, 2016.
- Castillo, Michelle (February 15, 2017). "Yahoo's new hack warning comes from a third breach, the company says". CNBC. Retrieved February 18, 2017.
- Wells, Nicholas; Fahey, Mark (December 15, 2016). "How Yahoo's 1 billion account breach stacks up with the biggest hacks ever". CNBC. Retrieved December 15, 2016.
- Haselton, Todd (October 3, 2017). "Yahoo just said every single account was affected by 2013 attack — 3 billion in all". CNBC. Retrieved October 3, 2017.
- Goel, Vindu; Perlroth, Nicole (December 16, 2016). "Hacked Yahoo Data Is for Sale on Dark Web". The New York Times. Retrieved December 16, 2016.
- May, Patrick (December 15, 2016). "How a super cyber-sleuth helped crack the huge Yahoo hack". The Mercury News. Retrieved December 15, 2016.
- Solon, Olivia. "China and Russia lead list of Yahoo hack suspects — but some doubt theory". The Guardian. Retrieved September 25, 2016.
- "U.S. Suspects Hackers in China Breached About 4 Million People's Records, Officials Say". The Wall Street Journal. Retrieved September 26, 2016.
- McMillan, Robert. "Yahoo Executives Detected a Hack Tied to Russia in 2014". The Wall Street Journal. Retrieved September 25, 2016.
- Murgia, Madhumita. "Cyber experts look to usual suspects in Yahoo hack". Financial Times. Retrieved September 25, 2016.
- Nakashima, Ellen. "National Security Chinese breach data of 4 million federal workers". The Washington Post. Retrieved September 25, 2016.
- Horgan, Richard. "Yahoo Breach May Have Led to 'Credential Stuffing'". AdWeek. Retrieved March 23, 2017.
- "InfoArmor: Yahoo Data Breach Investigation". Retrieved October 15, 2016.
- "Here's Who Hacked Yahoo, According to One Cybersecurity Firm". Fortune. Retrieved October 15, 2016.
- Womack, Brian. "Yahoo Hacked by Criminals, Not State Sponsor, Security Firm Says". Bloomberg L.P. Retrieved October 15, 2016.
- "The White House Says the FBI Is Investigating the Latest Yahoo Hack". Reuters. December 15, 2016. Retrieved December 15, 2016.
- "Law enforcement says Yahoo account hacks were likely sponsored by foreign government". CBS News. December 15, 2016. Retrieved December 15, 2016.
- Goel, Vindu (March 15, 2017). "Russian Agents Were Behind Yahoo Breach, U.S. Says". The New York Times. Retrieved March 15, 2017.
- Raymond, Nate (November 24, 2017). "Canadian charged in Yahoo hacking case to plead guilty in U.S." Reuters. Retrieved November 27, 2017.
- Moon, Mariella (May 30, 2018). "Attacker involved in 2014 Yahoo hack gets five years in prison". Engadget. Retrieved May 30, 2018.
- "Why Yahoo's Security Problems Are a Story of Too Little, Too Late". Reuters. December 19, 2016. Retrieved December 19, 2016.
- Perlroth, Nicole; Goel, Vindu (September 28, 2016). "Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say". The New York Times. Retrieved December 15, 2016.
- Goel, Vindu (March 1, 2017). "Yahoo's Top Lawyer Resigns and C.E.O. Marissa Mayer Loses Bonus in Wake of Hack". The New York Times. Retrieved March 15, 2017.
- "Verizon CEO Says Evaluating Whether Yahoo Hack Had 'Material Impact'". The Wall Street Journal. Retrieved October 15, 2016.
- "Verizon Says Yahoo Hack Could Reopen $4.8 Billion Deal Talks". The New York Times. Retrieved October 15, 2016.
- Roumeliotis, Greg; Volz, Dustin (December 15, 2016). "Yahoo shares fall on worries new breach will kill Verizon deal". Reuters. Retrieved December 15, 2016.
- "Yahoo Data Breach: What Actually Happened?". BPB Online. Retrieved April 28, 2021.
- "Verizon closes Yahoo deal, Mayer steps down". Reuters. June 14, 2017. Retrieved June 14, 2017.
- "Verizon revises deal with Yahoo to $4.48 billion". Reuters. February 21, 2017. Retrieved February 21, 2017 – via CNBC.
- La Monica, Paul (June 19, 2017). "So long, Yahoo. Hello ... Altaba?". CNN. Retrieved April 24, 2018.
- "Letter to Marissa Mayer signed by 6 senators" (PDF). leahy.senate.gov. Retrieved September 30, 2016.
- Fisher, Dennis. "Senators Demand Answers of Mayer on Yahoo Data Breach". OnTheWire. Retrieved September 30, 2016.
- Kuchler, Hannah. "US senators demand answers from Yahoo". The Financial Times. Retrieved September 30, 2016.
- "20160926 Letter to SEC on Yahoo Breach". Retrieved December 13, 2016.
- Volz, Dustin. "Yahoo hack may become test case for SEC data breach disclosure rules". Reuters. Retrieved December 13, 2016.
- "Sen. Warner Calls on SEC to Investigate Disclosure of Yahoo Breach". September 26, 2016. Retrieved December 13, 2016.
- Kastrenakes, Jacob (April 24, 2018). "SEC issues $35 million fine over Yahoo failing to disclose data breach". The Verge. Retrieved April 24, 2018.
- Baron, Ethan (December 8, 2016). "Yahoo data-breach class-action lawsuits joined together in San Jose federal court". Silicon Beat. Retrieved December 15, 2016.
- Stempel, Jonathan (August 31, 2017). "Yahoo must face litigation by data breach victims: U.S. judge". Reuters. Retrieved August 31, 2017.
- Stempel, Jonathan (March 12, 2018). "Data breach victims can sue Yahoo in the United States: judge". Reuters. Retrieved March 12, 2018.
- Liedtke, Michael (October 23, 2018). "Yahoo to pay $50M, other costs for massive security breach". ABC News. Retrieved October 23, 2018.
- Fingas, Jon (January 29, 2019). "Judge rejects Yahoo's proposed settlement over data breaches". Engadget. Retrieved January 29, 2019.
- Brodkin, Jon (April 10, 2019). "Yahoo tries to settle 3-billion-account data breach with $118 million payout". Ars Technica. Retrieved October 1, 2019.
- Fisk, Margaret Cronin (December 15, 2016). "Yahoo Failed to Protect Consumers From Hacking, Lawsuit Says". Bloomberg. Retrieved December 15, 2016.
- "ARTICLE 29 Data Protection Working Party Letter To Yahoo!" (PDF). Retrieved November 2, 2016.
- "EU Issues Data-Protection Warning to WhatsApp, Yahoo". The Wall Street Journal. Retrieved October 29, 2016.
- Fioretti, Julia. "EU data protection watchdogs warn WhatsApp, Yahoo on privacy". Reuters. Retrieved October 29, 2016.
- Bergin, Tom. "Irish data regulator steps up Yahoo hack probe, waits on email scanning". Reuters. Retrieved November 26, 2016.
- "Germany Slams Yahoo Over Cybersecurity Practices". Reuters. December 15, 2016. Retrieved December 15, 2016.