In December 2016, Yahoo had claimed that more than one billion accounts were compromised in the infamous 2013 breach. However, Verizon Communications that acquired Yahoo for $4.48 billion on Tuesday revealed that all three billion of company’s accounts were compromised, as it directs users to a site set up.
In a post titled, “Yahoo 2013 Account Security Update FAQs”, the company said, “Yahoo is providing notice to additional user accounts affected by an August 2013 theft of user data previously announced by the company in December 2016. This is not a new security issue. In 2016, Yahoo previously took action to protect all user accounts”.
Back in 2016, Yahoo had issued a statement saying, “The hack exposed user account information, which includes name, email address, hashed passwords, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers”. However, the company’s investigation confirmed that credit card and bank account data was not hacked in the breach.
“Three billion figure included many accounts that were opened but that were never, or only briefly, used”, a Yahoo official said.
David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC emphasized that “the investigation underscored how difficult it was for companies to get ahead of hackers, even though they knew that their networks had been compromised”.
Bitglass CEO Rich Campagna said, “Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorized access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented”.
Carl Wright, CRO at AttackIQ, termed the incident an “epic failure” and called for companies to “seriously, find protection failures before the adversary does”.
Lucy H Koh, a district judge in San Jose, California on August 30 ruled that Yahoo! will have to face action for a series of data breaches. According to company securities filing in May, Yahoo already faces at least 41 consumer class-action lawsuits in the U.S. federal and state courts.