Yahoo Breaches: 3 Billion Accounts and the Third-Party Risk Implications for Verizon's $4.48B Acquisition

The Yahoo data breaches remain the largest in history by number of accounts affected, and their impact extended far beyond the immediate security consequences. When Verizon Communications was in the process of acquiring Yahoo's internet business for $4.83 billion, the disclosure of two massive breaches forced a $350 million reduction in the purchase price and fundamentally changed how the industry approaches cybersecurity due diligence in mergers and acquisitions. For third-party risk management professionals, the Yahoo case is a landmark example of inherited risk.

The Breaches: A Timeline

The 2013 Breach: 3 Billion Accounts

In August 2013, Yahoo experienced what would become the largest data breach ever recorded. Every single Yahoo user account — all 3 billion of them — was compromised. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords (using the weak MD5 algorithm), and in some cases, encrypted or unencrypted security questions and answers.

Yahoo did not disclose this breach until September 2016, more than three years after it occurred. Even then, Yahoo initially reported that 1 billion accounts were affected. It was not until October 2017 — after Verizon had completed the acquisition — that Yahoo revised the figure upward to all 3 billion accounts.

The 2014 Breach: 500 Million Accounts

In late 2014, a separate breach compromised approximately 500 million Yahoo user accounts. This breach was attributed to a "state-sponsored actor." The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers. Yahoo disclosed this breach in September 2016 — nearly two years after it occurred and only after the security team was prompted by stolen data appearing for sale on dark web markets.

The Russian FSB Connection

In March 2017, the U.S. Department of Justice unsealed an indictment charging four individuals with the 2014 Yahoo breach, including two officers of Russia's Federal Security Service (FSB): Dmitry Dokuchaev and Igor Sushchin. The other two defendants were Alexsey Belan, a Russian national on the FBI's Most Wanted list, and Karim Baratov, a Canadian citizen who was subsequently arrested, extradited, and sentenced to five years in prison in 2018.

The indictment described a scheme in which the FSB officers directed criminal hackers to gain access to Yahoo's network. The attackers used a combination of spear-phishing and exploitation of Yahoo's internal systems, including gaining access to Yahoo's User Database (UDB) and Account Management Tool. The state-sponsored nature of the attack underscored the sophistication of the threat and the inadequacy of Yahoo's defenses at the time.

The Verizon Acquisition: Inherited Risk in Action

Verizon announced its agreement to acquire Yahoo's internet operating business on July 25, 2016. Barely two months later, in September 2016, Yahoo disclosed the 2014 breach. The December 2016 disclosure of the 2013 breach followed. These revelations created unprecedented uncertainty for the deal.

In February 2017, Verizon and Yahoo agreed to reduce the acquisition price by $350 million, from $4.83 billion to approximately $4.48 billion. Additionally, the revised terms required Yahoo (later renamed Altaba for its remaining investment assets) to share liability for future legal and regulatory costs arising from the breaches. The deal closed in June 2017.

The Yahoo acquisition demonstrated that undisclosed cybersecurity liabilities can have the same impact on deal value as undisclosed financial liabilities. The $350 million price reduction set a precedent that cyber risk is a material factor in M&A valuation.

The aftermath continued for years. In 2018, the SEC fined Altaba (formerly Yahoo) $35 million for failing to disclose the 2014 breach in a timely manner — the first time the SEC imposed a penalty specifically for failing to disclose a cyber breach. In 2019, Yahoo agreed to a $117.5 million class-action settlement (later re-negotiated) with affected users.

Lessons for Third-Party Risk Management

The Yahoo breaches taught the industry several enduring lessons about third-party and inherited risk:

• M&A due diligence must include cybersecurity: Before the Yahoo case, cybersecurity was often a footnote in acquisition due diligence. Afterward, it became standard practice to conduct thorough cybersecurity assessments of acquisition targets, including penetration testing, vulnerability assessments, and review of past incidents.
• Delayed disclosure compounds damage: Yahoo's multi-year delay in disclosing both breaches significantly increased the financial and reputational impact. Timely disclosure, while painful, limits exposure.
• You inherit the risk of everything you acquire: When Verizon acquired Yahoo, it also acquired all of Yahoo's cybersecurity liabilities, including breaches that had occurred years earlier. This is the ultimate third-party risk scenario: absorbing another organization's entire risk profile.
• State-sponsored threats target the supply chain: The involvement of FSB officers demonstrated that nation-state actors actively exploit third-party relationships and acquisitions as attack vectors.