The Yahoo Breaches
Three billion accounts. Two breaches. One acquisition that had to be renegotiated mid-deal when the receipts finally arrived.
In September 2016, Yahoo disclosed that 500 million accounts had been compromised in a 2014 intrusion. Three months later, the company disclosed a second, separate breach from 2013 affecting another billion accounts. A year after that, with Verizon now the new owner, the number for the 2013 incident was revised upward to three billion — that is, every Yahoo account that had ever existed.
A breach during a sale
The timing was extraordinarily inconvenient. Verizon had agreed in mid-2016 to acquire Yahoo's core business for roughly 4.8 billion dollars. The breach disclosure landed mid-due-diligence. Verizon used the leverage to shave roughly 350 million dollars off the price and to require Yahoo to share the legal liability for the unfolding mess.
Two intrusions, two stories
US prosecutors attributed the 2014 breach to two Russian FSB officers and a pair of contracted criminal hackers, in an indictment that read more like an intelligence brief than a fraud case. The 2013 intrusion was never publicly attributed with the same confidence; its sheer scale, and the fact that stolen credentials reportedly surfaced in private intelligence circles before they surfaced anywhere else, suggested it had been hoarded for years before its eventual sale.
What the chronicle remembers
Yahoo is the canonical example of disclosure delay. The technical breach was serious but unexceptional; the lasting story is institutional. A company in the middle of selling itself sat on knowledge of a historic data theft for years, and that delay reshaped how regulators and acquirers think about breach reporting in M&A.