← All breach guides

Yahoo data breaches — exercise your GDPR rights

Yahoo suffered two of the largest data breaches in history: a 2014 state-sponsored attack on 500 million accounts, and a 2013 breach that ultimately affected all 3 billion Yahoo accounts — disclosed years after the events. Although both breaches predate GDPR, the Regulation applies to Yahoo's ongoing processing of your data. If you have an old Yahoo, Flickr, or Tumblr account, exercising your right to erasure is particularly worthwhile.

⚖️ Regulatory action: No EU or UK GDPR fine was issued as the breaches predated GDPR (May 2018). Yahoo agreed to a $117.5 million class action settlement with US users. Yahoo Inc. also paid an $80 million settlement with US investors over the delayed breach disclosure.

What happened

2014 500 million accounts affected

State-sponsored attackers compromised Yahoo's systems in late 2014, accessing the account information of approximately 500 million users. The breach was not discovered by Yahoo until 2016 and was publicly disclosed in September 2016. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and security question answers.

Data exposed:
  • Names
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Hashed passwords (bcrypt)
  • Security questions and answers (some unencrypted)
2013 3 billion accounts (all accounts) affected

A separate 2013 breach ultimately affected every Yahoo account that existed at the time — 3 billion in total. This was not fully disclosed until October 2017, after Verizon completed its acquisition of Yahoo. The breach predated Yahoo's security improvements and included user credentials and personal details hashed using the weaker MD5 algorithm.

Data exposed:
  • Names
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Hashed passwords (MD5)
  • Security questions and answers (some encrypted, some in plaintext)

What you can do

If you have ever had a Yahoo, Flickr, or Tumblr account, your data was included in one or both breaches. Even if you no longer use the account, Yahoo may still hold your personal data. A GDPR subject access request will reveal what data Yahoo holds and give you the evidence to request erasure — particularly important for dormant accounts you may have forgotten.

You have two key rights under GDPR:

Note: For EU residents, the data controller is Yahoo EMEA Limited, 5-7 Point Square, North Wall Quay, Dublin 1, Ireland. Submit GDPR requests via Yahoo's privacy portal. Privacy portal ↗

Generate your access request

This letter is pre-addressed to Yahoo EMEA Limited, the official EU data controller for Yahoo.

To: Yahoo EMEA Limited
5-7 Point Square, North Wall Quay, Dublin 1, Ireland

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: