The Yahoo data breach: What happened?

Image of Yahoo logo - Destination Certification

Back in 2016, the world found out about a massive data breach at Yahoo—a data breach that actually began in 2014. All up, about 500 million user accounts were impacted in the breach, with the hackers accessing users’ names, phone numbers, birthdates, phone numbers, security questions and more. So, what happened?

How did hackers breach Yahoo?

In early 2014, attackers gained access to Yahoo’s network by stealing a Yahoo employee’s credentials. They installed unspecified malware to help them maintain their access. The attackers then found Yahoo’s user database, as well as an account management tool that was used to access and edit the information in this database.

Beginning at some time around October of 2014, the attackers began accessing user information through both Yahoo’s account management tool and forged authentication cookies. It appears that under Yahoo’s system, cookies were stored in the user’s browser to prove that the user had passed authentication. However, the attackers were able to forge the cookies, meaning that they could access user accounts without needing a user’s username or password. The attackers were able to forge cookies from both inside and outside of Yahoo’s network.

By the end of the year, the attackers accessed a backup copy of the user database and used the File Transfer Protocol (FTP) to move it to a computer under the attackers’ control. The database stored user account information alongside nonces (unique cryptographic values). With these nonces in hand, the attackers could use each nonce associated with an account to forge cookies externally, allowing them to gain access to the account. They used forged cookies to access more than 6,500 user accounts.

Since the attackers controlled Yahoo’s account management tool and had a copy of the user database, they were able to search the copy of the database for user accounts that had recovery email addresses stored in the record. If the hackers were interested in targeting a company called example.com, they could look for recovery email addresses ending in @example.com, and then use both the account management tool and forged cookies to access the user’s email account.

The attackers leveraged their access to Yahoo’s system to gain entry into email accounts for cloud computing companies, email providers, journalists, business owners, politicians and government officials. The attackers even managed to use their access to Yahoo’s systems to manipulate Yahoo search results so that their favored website would appear high in the results. They then got paid commissions for directing searchers to the site.

Some of the other highlights of the hack include:

  • The attackers also accessed 30 million Yahoo email accounts and stole the email contacts of the victims, purportedly to use these contact lists for spam email campaigns.
  • The attackers attempted to cover up their tracks by running a log cleaner on Yahoo’s systems.
  • They also used the stolen data from Yahoo to compromise related accounts at Google and other webmail providers.

In total the attackers used forged cookies to access over 30 million user accounts. However, the data of 500 million users was included in the stolen database. Next week, we’re going to take a look at what went wrong at Yahoo for attackers to have such deep access for almost two years.

DestCert newsletter image - Destination Certification

DeepSeek’s Open-Source AI: A Game Changer for Hackers

Cyber threats are evolving fast, and AI tools like DeepSeek make advanced attacks more accessible than ever. Traditional security strategies won’t cut it—cloud security expertise is essential. Earning a CCSP certification equips you to defend against emerging threats, including AI-driven attacks. Destination Certification’s CCSP Masterclass helps you master cloud security fundamentals and stay ahead. Read more.

DestCert CCSP bootcamp image - Destination Certification

Last chance to join the CCSP Bootcamp!

The fastest and easiest way to take a huge step forward in your (cloud) security career

The CCSP is the premier cloud security certification. Having it sets you apart from nearly everyone working in cybersecurity.

It opens higher-paying, more respected positions in top companies because many of the most critical security threats are in the cloud.

Traditional security certifications don't cover cloud security nearly well enough, so those with CCSP certifications are in high demand.

The fastest and easiest way to pass the CCSP exam is our bootcamp. In just five days, you learn everything you need. And if you've seen how we teach, you know it's likely also the most engaging training you can find on the topic.

If you want to take a huge step forward in your (cloud) security career

 Read all the details and enroll here

Sign up for our upcoming CISSP BootCamp!

CISSP Certification in 1 Week 

Study everything you need to know for the CISSP exam in a 1-week bootcamp!

 Check out the CISSP BootCamp
Image of the author

Josh Lake

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Checkout the other DestCert Weekly newsletters

We’ll miss you, CVE

Are your remote hires who they say they are?

Are AI agents the future of cybersecurity?

The zero-click spyware coming to a phone near you

What’s your rubberhose cryptanalysis (torture) defense plan?

What can we learn from the Capital One data breach?

The Capital One data breach

Security takeaways from the Yahoo data breach

Security takeaways from the Marriott breach

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]

First

Previous

Next

Last