Yahoo

The Story

In January 1994, two Stanford electrical engineering PhD students — Jerry Yang and David Filo — started maintaining a list of their favorite websites. The list grew. They organized it into categories. They called it "Jerry and David's Guide to the World Wide Web," then renamed it Yahoo (officially "Yet Another Hierarchically Organized Oracle"). By the time they incorporated in 1995, the web was still small enough that two people with good taste could meaningfully catalog it.

Yahoo became the internet's front door. Before search engines could crawl and index the web automatically, Yahoo's hand-curated directory was how millions of people found things online. You didn't search — you browsed categories. Arts & Humanities. Business & Economy. Computers & Internet. Recreation & Sports. It was the card catalog for a library that was doubling in size every few months.

The portal model followed: Yahoo Mail (1997), Yahoo Finance, Yahoo News, Yahoo Sports, Yahoo Messenger. Each service was dominant or near-dominant in its category. Yahoo Mail was, for years, the most popular email service in the world. Yahoo Finance remains one of the most visited financial data sites decades later. At its peak in January 2000, Yahoo's market capitalization hit $125 billion. They turned down a $1 million offer to sell to AOL in 1996. They turned down a $44.6 billion acquisition offer from Microsoft in 2008.

Then the directory model lost to algorithmic search, and Google ate Yahoo's core business. Yahoo pivoted to media — hiring journalists, acquiring Tumblr for $1.1 billion, licensing NFL streaming rights. The company that had been an engineering-driven internet pioneer reoriented itself as a content company. This strategic shift had a consequence that would prove catastrophic: security infrastructure was defunded and deprioritized in favor of media spending.

In late 2014, state-sponsored attackers breached Yahoo's systems and exfiltrated data on approximately 500 million user accounts — names, email addresses, phone numbers, dates of birth, hashed passwords (some with the weak MD5 algorithm), and security questions and answers. Yahoo did not publicly disclose this breach until September 2016, nearly two years later.

But the 2014 breach wasn't the worst of it. In August 2013 — a full year before the 500-million-account breach — a separate intrusion had compromised every single Yahoo user account in existence. All three billion of them. This breach was not disclosed until December 2016, more than three years after it occurred. The initial disclosure claimed one billion accounts; Yahoo revised the number upward to three billion in October 2017.

Three billion accounts. Every Yahoo user who had ever created an account. Names, emails, phone numbers, dates of birth, hashed passwords, and in some cases unencrypted security questions and answers. It remains, as of this writing, the largest data breach in recorded history.

The security team had tried to sound alarms. Yahoo's Chief Information Security Officer, Alex Stamos, reportedly clashed with management over security investment before departing for Facebook in 2015. The company's internal security group was small, underfunded, and subordinate to a leadership team that viewed security spending as a cost center competing with content acquisition budgets. The architecture that stored three billion accounts' worth of authentication data did not have the monitoring, segmentation, or encryption practices that the scale of that data demanded.

Verizon acquired Yahoo in June 2017 for $4.48 billion — a figure reduced by $350 million from the original offer due to the breach disclosures. The company that had been valued at $125 billion sold for less than what Verizon paid for AOL two years earlier. The Yahoo brand was folded into a subsidiary called Oath, later rebranded to Verizon Media, then sold again to Apollo Global Management in 2021. The name survives on a few properties. The company does not.

Why They're in the Hall

Yahoo is a Pioneer — and a premier entry in both the Hall of Fame and the Hall of Shame, because the same company that built the internet's first front door also produced the internet's worst security disaster.

The Fame: Yahoo proved that the web needed organization. Before Google's PageRank algorithm made machine-ranked search viable, Yahoo's human-curated directory was the closest thing the internet had to a table of contents. The portal model they built — email, news, finance, sports, all under one brand — defined how a generation understood "going online." Yahoo Mail, Yahoo Messenger, and Yahoo Finance were foundational services that shaped user expectations for what the web could do. Flickr, which Yahoo acquired in 2005, was the first large-scale photo-sharing platform and pioneered tagging, Creative Commons integration, and API-driven third-party development. Yahoo's engineering teams contributed meaningfully to distributed systems research, including the development and deployment of Hadoop.

The Shame: The 2013 breach is the single largest compromise of user authentication data in history. The raw numbers — three billion accounts — are staggering, but the deeper failure is structural. Yahoo's security infrastructure was systematically underfunded during the years when the company held credentials for a significant fraction of the internet's users. The breach wasn't a matter of a sophisticated zero-day exploit defeating state-of-the-art defenses. It was a matter of inadequate defenses existing in the first place: weak hashing algorithms, insufficient network segmentation, lack of monitoring that would have detected exfiltration of that scale, and a corporate culture that treated security as subordinate to content strategy.

The multi-year delay in disclosure compounds the architectural failure with an organizational one. Users whose credentials were compromised in 2013 were not notified until late 2016. For three years, three billion sets of credentials circulated among attackers while Yahoo's users continued logging in with compromised passwords, reusing those passwords on other services, and answering security questions whose answers were already in adversarial hands. The blast radius extended far beyond Yahoo — every service where a Yahoo user had reused a password was retroactively compromised.

The TechnicalDepth connection runs through auth, data_integrity, and architecture. Yahoo's breach is the canonical example of what happens when authentication data at scale is not treated as the most sensitive asset an organization holds. The security questions stored in plaintext. The MD5 hashes that could be cracked in bulk. The architectural decision to store three billion accounts' worth of sensitive data without the segmentation, monitoring, and encryption that such a trove demands. Every principle about credential storage, breach detection, and defense-in-depth that modern security practice teaches — Yahoo violated at scale.

Yahoo's trajectory is also a case study in how organizational priorities shape technical outcomes. The same company that employed world-class engineers and contributed to foundational open-source infrastructure chose, at the leadership level, to redirect resources away from security and toward media content. The breach wasn't caused by a lack of available expertise. It was caused by a business strategy that deprioritized the infrastructure protecting its users. The technical failure was downstream of an organizational one — and that pattern repeats across every major breach in the modern era.