Yahoo admits 2013 breach hit all 3 billion users

Last year, Yahoo revealed that approximately 500,000 user accounts had been hacked in late 2014, exposing names, email addresses, encrypted passwords and other sensitive data. 

The company soon after admitted that approximately one billion accounts were compromised in a separate breach that occurred in 2013, making it the largest confirmed incident on record. 

However, Yahoo has now revealed that the 2013 breach was far more serious than first expected. Verizon, which finalised a deal to buy Yahoo this year, has announced that all three billion user accounts were affected. 

Verizon subsidiary Oath said a forensic investigation, supported by external third parties, had only just begun to unveil the true extent of the breach. 

Yahoo users warned of breach

Oath was quick to allay the fears of Yahoo users, claiming the stolen information did not include unencrypted passwords, credit card details or other payment information. 

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, chief information security Officer at Verizon.

“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

The organisation will continue to work with law enforcement regarding the breach and has contacted affected users via email. 

Nevertheless, the news is a concern for Verizon, which only confirmed the Yahoo acquisition in June. Yahoo’s performance had slumped in recent years and it sought to sell off its internet business for $4.8 billion (£3.65 billion). 

News of the 2013 and 2014 attacks broke last year, leading to Verizon dropping its offer by $300 million to $4.5 billion. 

Are big businesses failing to protect customers?

Questions will no doubt be raised as to how such a huge organisation could overlook a breach of this magnitude for so long. 

Media reports show the attack only came to the attention of Yahoo in 2016 after cyber criminals began selling the data on the dark web. 

Founder of Holden Security Alex Holden, talking to the New York Times last year, said it was one of the most serious and far-reaching breaches of people’s privacy on record. 

“The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family,” he explained. 

The Yahoo news comes at a time when Equifax has also been forced to admit that a breach disclosed on September 7th was more serious than first estimated. A further 2.5 million American customers were affected in the attack, bringing the total to 145.5 million people in the country – nearly half the population. 

While Yahoo’s one billion accounts dwarfs the Equifax figure, the latter’s is deemed especially worrying because the credit card details of 200,000 individuals were exposed in the attack. 

Equifax announced on Monday (October 1st) that 8,000 Canadians had also been affected. Meanwhile, investigations are still ongoing regarding the number of UK citizens involved.

Our 2017 Compensation and Market Trends Report combines our review of the prevailing conditions in the security & resilience recruitment market together with the results of our latest employer survey.