INTERNET service company Yahoo has confirmed that a data breach in August 2013 affected all 3 billion of its accounts – three times the number previously reported when it was first disclosed in 2016.
The hacking exposed user account information, which included name, email address, hashed passwords, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers,” the company said in 2016.
In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.
Also in 2016 Yahoo disclosed a separate data breach that occurred in late 2014, in which information associated with at least 500 million user accounts was stolen. The United States indicted four men, including two employees of Russia’s Federal Security Service (FSB), for their involvement in the hack.
The latest disclosure has come from Oath, a subsidiary of new parent company Verizon, which acquired Yahoo’s online assets in June for $4.48bn.
They said, “Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.
“While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts.
“The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information.
“The company is continuing to work closely with law enforcement.”
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon.
Additional information regarding this issue is available on the Yahoo Account Security Update FAQs page, https://yahoo.com/security-update.