An investigation has revealed the true extent of the notorious 2013 breach that hit Yahoo, finding that in fact every one of the three billion accounts were impacted.
The users of these accounts are in the process of being notified, but it has been stated that payment card and bank account details were not included, and passwords were not clearly visible.
Verizon has purchased Yahoo since the slew of reputation destroying data breaches, and new insight was made into the hacks of 2013 and onwards. Oath is the new brand formed by Verizon’s acquisitions of both Yahoo and AOL.
Initially it was announced that an already shocking 500 million accounts had been affected, before a figure of one billion was owned up to. The unveiling of the truth that all three billion user accounts were hit exceeds expectations.
Sam Curry, CSO at Cybereason, commented on the situation, he said: “The raw number of compromised accounts increase verges on the ridiculous and loses meaning as we get numbers normally only seen in astronomy. 3 billion, 2 billion, 1 billion… how does this have personal meaning when it means half the population of the world? The biggest issue is that this is another blow to our collective privacy: the cost to gain information on anyone plummeted and should be at the forefront of the debate.”
Despite the announcement the critical banking and password information was not involved, the all-encompassing breach did release addresses, phone numbers and names.
Oath, now in charge of the situation, said in a statement regarding the revelation: “Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account.”
NCSC bombarded by cyberattack reports in first year of operation
Mastercard predicts the future with pre-emptive cybersecurity defence
Amazon owned Whole Foods investigates card data breach
This news that in fact all of the Yahoo accounts were affected in the 2013 hacks marks an end to a grim saga that will become a landmark in cybersecurity history, and an example of how not to handle cyber incidents.
Chandra McMahon, Chief Information Security Officer, Verizon, said: “Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats… Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”