Previously, Yahoo said the hack affected 1 billion accounts, or a third of all accounts at the time. Verizon now says new intelligence suggests the attack was much larger, compromising all Yahoo accounts in 2013.
Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.Information stolen from affected accounts included names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers. Clear text passwords, bank account information, and credit/debit card information are not believed to have been accessed in the attack.
In a statement, Verizon says the Yahoo team is continuing to take significant steps to enhance security.
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer, Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."Yahoo initially uncovered the attack after law enforcement officials provided the company with Yahoo user data from an unknown source. Yahoo notified users it believed were affected in 2016 at the time the attack was disclosed, but the company will now send email notifications to additional user accounts affected by the hack.
Along with the attack in 2013, Yahoo saw another data breach in 2014 that compromised 500 million accounts, and a third major breach targeting accounts between 2015 and 2016.
The security breaches affected Verizon's $4.48 billion June acquisition of Yahoo, leading Yahoo to drop its asking price by $350 million.
Yahoo is already under SEC investigation for not disclosing the data breach sooner and affected victims have been given the right to sue the company.
Discuss this article in our forums