Yahoo Reveals 2013 Breach Affected All 3 Billion User Accounts
Just how many Yahoo accounts were breached in 2013? All 3 billion of them, according to the latest update from the company, now rebranded as "Oath." That's nearly equal to half the people on Earth, although at least one IT security expert questions how many of those accounts represent unique users.
In December, six months before it was taken over by Verizon for $4.48 billion, Yahoo revealed that a data theft incident in 2013 had affected around 1 billion user accounts. However, a company announcement released yesterday disclosed that new intelligence indicates every Yahoo account that existed at the time was affected by the breach.
To protect themselves, Yahoo account users should change their passwords and security questions and consider using the password-free authentication tool Yahoo Account Key, the company said. Other experts have advised users to activate two-factor authentication, although they offer conflicting recommendations on whether users should delete their accounts, with some warning that those accounts could be recycled and made available to new users.
'New Intelligence' Reveals Event's Scope
Late last year, Yahoo disclosed that it had been hit by two major breaches in previous years: one in 2014 that affected around 500 million users, and the one in 2013 initially believed to have left 1 billion accounts vulnerable to theft of user names, email addresses, telephone numbers, dates of birth, and hashed passwords. The news briefly threatened Verizon's purchase plans, but the deal later went through for a reduced price. Since that acquisition closed in June, Yahoo has been merged with AOL, another Verizon property, to become Oath.
"Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft," the company said in a statement yesterday.
Noting that it continues to work with law enforcement authorities regarding the breach, the company added that the 2013 incident "did not include passwords in clear text, payment card data, or bank account information."
All additional users affected are being notified via email that they must change their passwords. The company said it has also invalidated unencrypted security questions and answers so they can't be used to access accounts. Anyone with a Yahoo account should also watch for suspicious account activity, and monitor bank account information and credit reports, the company added.
'What a Disaster'
The scale of the Yahoo breach has gobsmacked many information security experts accustomed to regular reports of major hacks and breaches.
"It's a sorry state of affairs when I find myself more surprised that Yahoo had somehow amassed three billion user accounts by 2013 than the fact that they managed to lose control of their data," U.K.-based security expert Graham Cluley wrote today on his blog. "What a disaster."
Meanwhile, security writer Brian Krebs took to his blog today to criticize both Yahoo and credit bureau Equifax, which last month revealed that a hack had exposed the personal data of more than 143 million Americans (a number that was increased by 2.5 million earlier this week).
"To those still feeling left out by either company after this spate of bad news, I have only one thing to say (although I feel a bit like a broken record in repeating this): Assume you're compromised, and take steps accordingly," Krebs said in a post titled, "Fear Not: You, Too, Are a Cybercrime Victim."
"Unfortunately, Yahoo's cryptography practices are not unusual," Kevin Bocek, chief security strategist for the cybersecurity firm Venafi, said in a statement emailed to media outlets. "Undetected exfiltration of large amounts of data is a symptom of weak cryptography practices. We see this in nearly every major data breach."
Jay Kaplan, CEO of the cybersecurity company Synack and a former senior analyst with the U.S. National Security Agency, had even stronger words for such security lapses.
"Frankly, I don't know how Yahoo got away with this," Kaplan told The New York Times yesterday. "My guess is that Yahoo was completely 'owned' across the board."
Retweeting an Associated Press story on the breach yesterday, U.S. Rep. Ted Lieu (D., Calif.), who holds a degree in computer science, evoked Howard Baker's famous Watergate question by asking, "What did #Yahoo leadership know and when did they know it?"