Yahoo today has disclosed that the 2013 hack initially thought to have affected 1 billion accounts actually affected all 3 billion of its user accounts. The company made the announcement in a filling with the SEC…
Sylvania HomeKit Light Strip
The hack initially occurred in 2013 but wasn’t disclosed by Yahoo until 2016 when it said that 1 billion user accounts were accessed by an unauthorized third-party. The breached data included information such as email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers.
As a precaution, Yahoo is notifying the remaining 2 billion users of the hack. The company is also quick to point out that information such as passwords in clear text, payment card details, and bank details was not part of the hack.
Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.
While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts.
For its part, Verizon – which acquired Yahoo earlier this year – says that it is committed to user security and ensuring that it is as transparent as possible regarding security:
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon.
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
This is only one of several high-profile data breaches that have plagued Yahoo over recent years. Last year, the company confirmed that a 2014 hack made account information from 500 million users available. The company pinpointed that hack to a state-sponsored actor. It later confirmed a separate, smaller hack that affected some 32 million accounts.
Yahoo’s full disclosure filing can be found here.