Yahoo now says all 3 billion of its accounts affected by massive hack
Yahoo revealed Tuesday that a massive cyberattack it suffered in 2013 was much more widespread than it previously said, according to regulatory filings.
The web portal now says all 3 billion Yahoo accounts were compromised in the breach. The company initially said only 1 billion had been hit when it first disclosed the hack last December.
That means that absolutely everyone who had a Yahoo account when the theft occurred in August 2013 was affected.
Yahoo’s new Verizon-owned parent company, Oath, said the updated figure was reached after “new intelligence” was obtained and investigated with help from outside forensic experts.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” Chandra McMahon, Verizon’s chief information security officer, said in a press release. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Oath said it would begin notifying the additional 2 billion users who weren’t included in the last investigation over the course of the next several days.
The compromised information includes usernames, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers, an Oath spokesperson said on the company’s website. Payment card data and bank account information, however, were not part of the leak, the new investigation confirmed.
I’m just going to post all my info online and get it over with.
— Blaze James (@blzjames) October 3, 2017
The development is most damaging yet in a series of embarrassing cybersecurity episodes the aging former tech titan has exposed in the past year.
The original disclosure of the hack nearly derailed Yahoo’s then-pending blockbuster sale to Verizon that closed earlier this year. The carrier ultimately managed to knock $350 million off the agreed-upon price instead.
Yahoo also announced a separate late-2014 cyberattack last fall that it believed to be the work of a “state-sponsored actor.” The company said the incidents were not related.
Yahoo advises affected users to change their passwords and security questions, check their accounts for suspicious activities, and avoid clicking on shady emails. You can find more information on precautionary measures here.