Unsalted MD5 has been demonstrated to be vulnerable to collisions since 2005. Rainbow tables existed way before 2013. There's no excuse for a tech company of this size.

UNsalted anything has been phased out earlier in a lot of other places

..and it took them three years to find and report it?

More likely report than find. From what I've seen of their current disclosure policies, and what execs have written on Y!Answers and such, they find the problem, they figure out who did it and how, and then after they've figured out how to fix it, they alert the userbase and the public - in that order.

Also, please do remember that we're getting into a different leadership team now at Yahoo; previously they were absolutely convinced that disclosure and alarmism were one and the same - and that any perceived weakness in the Yahoo Mail product would drive people to GMail.

The intrusion happened more than a year after Marissa Mayer became CEO of Yahoo.