Yahoo says all 3B accounts impacted by 2013 data breach
Yahoo in a statement on Tuesday said further investigation into a massive 2013 data breach suggests all 3 billion its user accounts were impacted from the incident, tripling the internet firm's initial estimates.
According to the statement, Yahoo said it obtained and independently verified with outside forensic experts new intelligence regarding the breadth of the 2013 data theft after it was acquired by Verizon. Following an investigation into the evidence, the company has concluded that all Yahoo user accounts, from email to other services like Flickr, were affected by what was already the largest data theft in history.
Yahoo first disclosed the data breach in 2016, saying at the time that more than 1 billion accounts were compromised as part of a hack involving cookie forging. Yahoo's security team was informed of the attack when law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts.
Information revealed to hackers include user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Echoing statements made in 2016, Yahoo said the breach did not include passwords in clear text, payment card data, or bank account information.
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer at Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
As it did in 2016, Yahoo is notifying owners of accounts believed impacted via email.
Yahoo suffered a separate breach in 2014 that revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions of some 500 million accounts. That particular hack was blamed on state-sponsored actors, though the company failed to elaborate on the issue.
The pair of hacks ultimately drove down Verizon's acquisition price of Yahoo to to $4.48 billion, a $350 million discount. In return, the companies agreed to split liabilities linked to lawsuits and government investigations into the security breaches.
Verizon later merged Yahoo with AOL and more than 50 other online brands to form digital media company Oath.
According to the statement, Yahoo said it obtained and independently verified with outside forensic experts new intelligence regarding the breadth of the 2013 data theft after it was acquired by Verizon. Following an investigation into the evidence, the company has concluded that all Yahoo user accounts, from email to other services like Flickr, were affected by what was already the largest data theft in history.
Yahoo first disclosed the data breach in 2016, saying at the time that more than 1 billion accounts were compromised as part of a hack involving cookie forging. Yahoo's security team was informed of the attack when law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts.
Information revealed to hackers include user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Echoing statements made in 2016, Yahoo said the breach did not include passwords in clear text, payment card data, or bank account information.
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer at Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
As it did in 2016, Yahoo is notifying owners of accounts believed impacted via email.
Yahoo suffered a separate breach in 2014 that revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions of some 500 million accounts. That particular hack was blamed on state-sponsored actors, though the company failed to elaborate on the issue.
The pair of hacks ultimately drove down Verizon's acquisition price of Yahoo to to $4.48 billion, a $350 million discount. In return, the companies agreed to split liabilities linked to lawsuits and government investigations into the security breaches.
Verizon later merged Yahoo with AOL and more than 50 other online brands to form digital media company Oath.
Comments
Thank God for a company like Apple, one of the very few that takes both privacy and security seriously. Yet, frankly, most people couldn't give a damn. And bozos like Al Franken dump Apple into the same pile as the rest.
At at the end of the day, we get what we deserve. And are willing to pay for.
I had a Yahoo email address a long time back. I lost the password and couldn't reset it for a while. Later I tried to see if I could recover the email address, but Yahoo didn't let me.
They were willing to let me use the same email id if I was willing to pay for it.
It's been over 15 years since I meaningfully used a Yahoo account. It was fun to browse the Internet using their search engine long back. Now it's just another washed up company.
I’d had a Yahoo! address for a loooong time — long enough that I could obtain a fairly obvious email address and not even have to use a number to indicate I was the nth person to use that address ! —, but for the past several years I used it as a dummy account when some site wanted me to sign up for something that I wasn’t particularly keen on asking for. But with the data breach, I thought that Yahoo! was just too risky to use even for unimportant stuff.
I wish I had more confidence in companies other than Apple (and, who knows, the day may come when even that is tested...) when it comes to not using my data as currency to make themselves rich. And that extends to other so-called free services. But as Anantksundaram stated above, our collective laissez faire attitude about security and the collection of personal information has really diminished the greatness of the Internet.
Apple's approach to "security" is simple ... offer very few apps and services, and the ones that do rely on very little data input from users and clients (the App Store, iTunes, Apple Music, Apple Photos, Apple Maps etc. are mostly download only, iWork doesn't have client/server operation at all for the most part). The one Apple product that does have meaningful user/client data uploads - iCloud - has indeed had breaches and security issues.
We can talk about how great Apple security is when Apple starts offering the same products and services as the other guys. But right now, you can't even use an Apple device without supplying a Google, Yahoo, Microsoft etc. email address for your iTunes, App Store, iCloud etc. accounts can you?