Yahoo Confirms Half A Billion User Accounts Hacked, Blames "State-Sponsored Actor" For Breach

Tyler Durden's picture

Earlier today we reported that based on a ReCode announcement, some 200 million Yahoo user accounts (yes, apparently Yahoo has that many users) may have been hacked. Moments ago, Yahoo confirmed the report, only it increased the total from 200 to 500 million, and- in keeping with all the recent Democratic Party hacks - blamed a "state-sponsored actor."  Which is ironic because as we said this morning, "the latest massive data breach may or may not be blamed on Putin." It looks like it just was.

Here is the official announcement:

A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter.


Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven't changed their passwords since 2014 do so.


Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information. Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.


Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice.


Additional information will be available on the Yahoo Security Issue FAQs page,, beginning at 11:30 am Pacific Daylight Time (PDT) on September 22, 2016.

So much for using secure 9-character or more long passwords including capital letters, special characters and numbers. What is more ironic is that Verizon is paying $4.8 billion for the only asset that Yahoo has, or rather had, its user information, which is now publicly available for $1800 on the dark web.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
EscapeKey's picture

is hillary about to declare war with russia over this?

NoDebt's picture

I didn't believe it when they reported it was only 200MM this morning.  NOw I'm calling total bullshit.  THey don't have half a billion users unless they have Wells Fargo managing their account base for them.


NoDebt's picture

"What is more ironic is that Verizon is paying $4.8 billion for the only asset that Yahoo has, or rather had, its user information, which is now publicly available for $1800 on the dark web."



ParkAveFlasher's picture

Putin can read my email from 2004!!!  he knows my fantasy baseball scores from 2008!!!

froze25's picture

So yahoo's lax security will be used to further the Bull Shit narrative of the "evil Russians". Next they will blame something Trump said to cause them to have had Lax security and enabling the Russians. Or some other twisted bull shit to escape being held to account.

Hype Alert's picture

The breach was in 2014.  Thanks Yahoo for the prompt notice.

SlowBro's picture

Next thing you know Microsoft is going to announce that Internet Explorer 7 has vulnerabilities.

bamawatson's picture

amazing how they always "know" the hacker's identity; yet fail to stop the intrusion

EscapeKey's picture

it's pretty simple, actually.

1. find all information which may or may not be relevant.

2. discard all that doesn't fit the narrative.

Squid Viscous's picture

also , he was under your bed last night, playing chess with an ISIL commander

ParkAveFlasher's picture

That would have been awesome.  I wonder what he feels about that Verlander for Pujols trade.

Squid Viscous's picture

a german for a mongrel, hmm... he would have demanded another caucasian pitcher thrown in the deal

combatsnoopy's picture

200million accounts created Wells Fargo style is probably only worth $1800.  

auricle's picture

I blame the government for not properly secruring the internet during its early phases. The .gov has been using backdoors for years to spy on other countries and now the rest of them have caught up with us. The internet will not survive if annonymity is not protected. That means securing and encrypting all layers of the internet transport layers. Call John McAfee he knows exactly what needs to be done to save the internet.

bamawatson's picture

plus he knows how to snort coke and literally get away with murder

tmosley's picture

Lots of people make throwaway accounts for a one time use. I wouldn't be surprised if 100,000 fairly savvey users made that many over ten years or so before better services came along specifically for that purpose.

you enjoy myself's picture

I don't even consider myself a Yahoo user and yet I have three accounts: one just for fantasy football and nothing else, one because I needed a secondary email address for something from years ago (and never use), and one from so long ago I have absolutely no idea what the username is or what it was for.  

sleepingbeauty's picture

Yep, I have 10 accounts listed in my roboforms. I only use one. Some are for my kids and hubby but for the most part they are junk accounts that I needed to join a yahoo group.

any_mouse's picture

I have a Yahoo! email address. Never used it for anything other than signing into Yahoo for my saved customized stock chart. And now that is useless.

I don't think I am that unique.

Good purchase VZ!

VZ has also purchased my AOL username, used less often than my Yahoo!.

In 1999 I told AOL stock pumpers that AOL's subscriber list was not that valuable of asset. Subscribers on the Internet can be carried away like a puffy dandelion in the wind.

seek's picture

It's throwaway accounts. While I only have a half-dozen on yahoo, my total number of accounts due to throwaways is probably over 200 at this point. A lot of people make a new account for a one-time signup so they don't get spammed.

Accounts != unique users. And unique users != active users. My guesss is Yahoo's active user base is in the 10s of millions, and like AOL, almost all due to legacy users not moving to something better.

bamawatson's picture

lord i would puke looking at even one yahoo account

buzzardsluck's picture

2014...thanks for the quick update motherfuckers

Bill of Rights's picture

Oh knows you mean they will read all my SPAM mail? gasp...

offwirenews's picture

People have yahoo accounts?

kliguy38's picture

what's Yahoo.....thot it was a chocolate drink

EscapeKey's picture

it's where people used to discuss stock trading back in the dot-com days

they had a god-awful interface, though.

Urban Redneck's picture

If it was state-sponsored, why the assumption that it was a hack? Could just as easily have been a mole, since state sponsors can afford and do actually pay spies. Given Silicon Valleys fetish for outsourcing IT work to India... it would probably be cheaper and faster to someone pay someone in the third world (and right next door to China) to walk out of the local Yahoo! office with a backup copy of a customer database...

s2man's picture

I checked,  I still have an account there.   I had to guess my username and my password,  but after several tries,  I got in.   FWIW,  my password was,  asdfasdf.   They made me change it.

Squid Viscous's picture

my username is fitler_adolf - shocked that I havent been DQ'd

any_mouse's picture

Mine is phouch666

I was a member of an eGroup when Yahoo! assimiliated eGroups.

I was being forced to sign up with a Yahoo! account to continue access to the eGroup.

medium giraffe's picture

what is the deal with women in positions of power and emails?

bamawatson's picture

they should be called on the carpet and chewed out

Squid Viscous's picture

not Marissa, she's an ugly, creepy albino bitch and her pussy probably smells like 3 day old feta cheese

RawPawg's picture

USA Created False Flags are getting more Lamer,and Lamer

USA=JV Team...Winning(Not)

East Indian's picture

It takes nearly three years to come clean on this? Why didn't Yahoo announce this is in 2014 itself?

"What difference does it make now?"

One more supercorporation taking us for a ride.

Dg4884's picture

So, I guess when the country runs out of food, a year later they'll let us know.  2014?  Shouldn't that little fact be part of a class action laswsuit?

Slippery Slope's picture

If Russia can figure out a way to delete all the spam mail, so I can read my emails, I will be eternally grateful.

combatsnoopy's picture

I didn't know Hillary Clinton conducted government business on her Yahoo account.  :)


Catullus's picture

Cancel the merger, Verizon!

Chauncey Gardener's picture

Their exec's and BOD are too busy congratulating themeselves for their brilliant acquisition to grow their user base and enhance the brand. Glad I'm with AT&T.

johnjkiii's picture

nice of those a**holes to wait 2 years to drop that one.

Seychelles's picture

And they want us to trust the safety of a digital (cashless) system for our after tax savings?  "Your account has been emptied without your authorization?  Please call 800-xxx-yyyy.  Your estimated wait time will be approximately 256 years."

Lumberjack's picture

Yahoo keeps sending me this:

Someone attempted to sign in to your Yahoo account from an app that doesn't meet Yahoo's security standards. We blocked this sign in attempt, which was made on:

Sun, Sep 18, 2016 11:28 AM EDT from United States.

If you were trying to sign in, then please take one of these actions:

Option 1 (recommended): Use or the Yahoo Mail app for Android and iOS to more securely access your account.

Option 2 (not recommended): If you still want to use an app that uses less secure sign in to your Yahoo account:

Click here:

Turn on "Allow apps that use less secure sign in"

Go back to your existing email application and sign in to your Yahoo account again.

Using apps that don't meet Yahoo's recommended security standards may leave your account more vulnerable or less secure.

If you did not try to sign in, then click here (link)

For more information, visit our help page at: (link)


sudzee's picture

Most likely insiders stealing info and selling it. 

jughead's picture

fucking two year old crack and NOW they want you to change your password? 

shimmy's picture

Blame Putin! Makes zero sense but hey, do it anyway. 

The idiocy in this world is mind boggling.

lasvegaspersona's picture

You'd think an internet company could be a little more specific that 'state sponsored' hacker. I'm sure if they had any real proof they'd say so. For now they just want us to blame Putin.