Yahoo says all 3B accounts impacted by 2013 data breach

Posted:
in General Discussion edited October 2017
Yahoo in a statement on Tuesday said further investigation into a massive 2013 data breach suggests all 3 billion its user accounts were impacted from the incident, tripling the internet firm's initial estimates.




According to the statement, Yahoo said it obtained and independently verified with outside forensic experts new intelligence regarding the breadth of the 2013 data theft after it was acquired by Verizon. Following an investigation into the evidence, the company has concluded that all Yahoo user accounts, from email to other services like Flickr, were affected by what was already the largest data theft in history.

Yahoo first disclosed the data breach in 2016, saying at the time that more than 1 billion accounts were compromised as part of a hack involving cookie forging. Yahoo's security team was informed of the attack when law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts.

Information revealed to hackers include user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Echoing statements made in 2016, Yahoo said the breach did not include passwords in clear text, payment card data, or bank account information.

"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer at Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."

As it did in 2016, Yahoo is notifying owners of accounts believed impacted via email.

Yahoo suffered a separate breach in 2014 that revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions of some 500 million accounts. That particular hack was blamed on state-sponsored actors, though the company failed to elaborate on the issue.

The pair of hacks ultimately drove down Verizon's acquisition price of Yahoo to to $4.48 billion, a $350 million discount. In return, the companies agreed to split liabilities linked to lawsuits and government investigations into the security breaches.

Verizon later merged Yahoo with AOL and more than 50 other online brands to form digital media company Oath.

Comments

  • Reply 1 of 10
    Some yahoo employee is very rich right now...
  • Reply 2 of 10
    facepalm moment in yahoo history.
  • Reply 3 of 10
    Our underinvestment -- collectively as a society, not just the case of Yahoo -- in privacy and security is coming back to bite us in the butt in more ways than we can currently anticipate. Russians fiddling with our election, for example, is merely one big step in an abyss of a stairwell of what's to come. 

    Thank God for a company like Apple, one of the very few that takes both privacy and security seriously. Yet, frankly, most people couldn't give a damn. And bozos like Al Franken dump Apple into the same pile as the rest. 

    At at the end of the day, we get what we deserve. And are willing to pay for. 
    lkruppzeus423rob53magman1979fotoformatdecoderingbadmonkwatto_cobra
  • Reply 4 of 10

    I had a Yahoo email address a long time back. I lost the password and couldn't reset it for a while. Later I tried to see if I could recover the email address, but Yahoo didn't let me.

    They were willing to let me use the same email id if I was willing to pay for it.

    It's been over 15 years since I meaningfully used a Yahoo account. It was fun to browse the Internet using their search engine long back. Now it's just another washed up company.

    watto_cobraanton zuykov
  • Reply 5 of 10
    This particular breach was the breaking point for me, and I just closed my Yahoo! account after it was reported in the news.

    I’d had a Yahoo! address for a loooong time — long enough that I could obtain a fairly obvious email address and not even have to use a number to indicate I was the nth person to use that address ! —, but for the past several years I used it as a dummy account when some site wanted me to sign up for something that I wasn’t particularly keen on asking for. But with the data breach, I thought that Yahoo! was just too risky to use even for unimportant stuff.

    I wish I had more confidence in companies other than Apple (and, who knows, the day may come when even that is tested...) when it comes to not using my data as currency to make themselves rich. And that extends to other so-called free services. But as Anantksundaram stated above, our collective laissez faire attitude about security and the collection of personal information has really diminished the greatness of the Internet.
    watto_cobra
  • Reply 6 of 10
    badmonkbadmonk Posts: 695member
    Great timing for the Equifax morons...
    watto_cobra
  • Reply 7 of 10
    HBW1HBW1 Posts: 37member
    I read another on TechCrunch and CNET, they are suggesting every yahoo user to login and change their security questions and answers and password. 
  • Reply 8 of 10
    coolfactorcoolfactor Posts: 1,255member
    Anybody still using Yahoo email or Hotmail these days is a complete maroon, especially business owners.

  • Reply 9 of 10
    jbdragonjbdragon Posts: 1,788member
    Funny how time after time, a hack happens and it only effects so many millions of used they say and over time it ends up being more and more and more. I just don't see how anyone could still be using Yahoo at this point. Move to Gmail!!!
  • Reply 10 of 10
    Our underinvestment -- collectively as a society, not just the case of Yahoo -- in privacy and security is coming back to bite us in the butt in more ways than we can currently anticipate. Russians fiddling with our election, for example, is merely one big step in an abyss of a stairwell of what's to come. 

    Thank God for a company like Apple, one of the very few that takes both privacy and security seriously. Yet, frankly, most people couldn't give a damn. And bozos like Al Franken dump Apple into the same pile as the rest. 

    At at the end of the day, we get what we deserve. And are willing to pay for. 
    They also do not host email accounts like Google, Microsoft and Yahoo do. So no matter what you are willing to pay for, Apple's emphasis on security and privacy won't get you an email account. But you just go ahead and keep pretending as if the whole world can be viewed through your Apple vs. Microsoft vs. Google lens. The truth is that if Apple offered more products and services that were vulnerable to security issues - instead of their very limited line of products and services - they would have far more security issues to deal with. Instead, they farm that responsibility out to the third party software and service providers whose products are necessary for making Apple hardware anything more than very expensive doorstops. Making a secure hardware and OS platform that is exclusive to each other? Easy. A secure hardware platform that can run any OS? Harder. A secure OS platform that can run on any hardware? Harder still. Secure apps and services that can run on a variety of hardware and software platforms (beyond relatively simple NON-WEB BASED media streaming and downloading tools like iTunes and Apple Music)? When Apple achieves that let me know. 

    Apple's approach to "security" is simple ... offer very few apps and services, and the ones that do rely on very little data input from users and clients (the App Store, iTunes, Apple Music, Apple Photos, Apple Maps etc. are mostly download only, iWork doesn't have client/server operation at all for the most part). The one Apple product that does have meaningful user/client data uploads - iCloud - has indeed had breaches and security issues.

    We can talk about how great Apple security is when Apple starts offering the same products and services as the other guys. But right now, you can't even use an Apple device without supplying a Google, Yahoo, Microsoft etc. email address for your iTunes, App Store, iCloud etc. accounts can you?




    edited October 2017
Sign In or Register to comment.