Yahoo has tripled its initial estimate of the number of email accounts affected by a data breach in 2013. The company announced that all the 3 billion users who had a Yahoo email account at the time were affected and could have their data compromised.
Oath, Yahoo’s new parent company, announced Tuesday that it is providing notice to 2 billion additional user accounts that had been affected by a data breach in 2013.
In December, the web portal disclosed that more than 1 billion Yahoo email accounts had been compromised, setting the record for the largest data breach in history by number of users.
At the time, Yahoo said the information stolen by hackers may have included “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” However, they said investigators did not find the hackers were able to obtain passwords in clear text, payment card data, or bank account information.
In their recent announcement, the company said that the problem had already been solved in 2016, when they “took action to protect all accounts.” Yahoo notified the 1 billion impacted users “identified at the time,” required them to change their password, and invalidated unencrypted security questions so they could not be used to access an account.
Equifax: We’re totally the worst about hacking!
Yahoo: Hold our unpatched servers.
— Shira Ovide (@ShiraOvide) October 3, 2017
So, 3 billion Yahoo accounts were hacked in 2013. This is deeply disturbing. Why are there 3 billion Yahoo accounts
— Michael, still here (@Home_Halfway) October 3, 2017
Four months after Yahoo was acquired by Verizon Communications for a record $4.48 billion, the company said it had received “new intelligence” and conducted an investigation into the breach with the help of third-party forensic experts.
Verizon updated the number of users affected, but continued to deny that hackers had gained access to their “passwords in clear text, payment card data, or bank account information.”
Verizon’s chief information security officer, Chandra McMahon, said that their investment in Yahoo is allowing them to “continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
“We proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” McMahon said in a statement.
Yahoo has advised users to change their passwords and security questions and answers for any accounts that had the same or similar information as their Yahoo accounts, review their accounts for suspicious behaviour, and avoid clicking on links or downloading attachments from suspicious emails.
In March, an internal investigation by Yahoo’s board found that senior executives “did not properly comprehend or investigate” information about the breach that their security team had known about.
“The information security team understood that the attacker had exfiltrated copies of user database backup files containing the personal data of Yahoo users but it is unclear whether…exfiltration was effectively communicated and understood outside the information security team,” a regulatory filing with the Securities and Exchange Commission said.
“The Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it,” the filing continued.