CyberCrimeSecuritySecurity Management

Yahoo Admits 2013 Data Breach Impacted All 3 Billion Accounts

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Yahoo now admits that devastating data breach compromised accounts that nearly equal half of the world’s population

Yahoo’s devastating data breach in 2013 that resulted in the compromise of hundreds of millions of Yahoo accounts, is now much worse than first feared.

This is because it has now been confirmed that all 3 billion of its accounts were hacked in the 2013 data breach.

It should be noted that this confirmation of the hacking of 3 billion accounts is triple Yahoo’s earlier estimate, when in December 2016 it announced that more than a billion user accounts had been hacked.

Fail 2 - ShutterStock: © kaarstenData Breach

Yahoo has previously said that the initial hack took place in August 2013, when an unauthorised third party stole data linked to a mass number of accounts.

To make matters worse, Yahoo only discovered the 2013 hack in 2016, when it was investigating a 2014 data breach. That 2014 hack saw the data of 500 million accounts compromised, and prompted US senators to probe then Yahoo CEO Marissa Mayer on the way the company had handled the data loss.

But now a disclosure from Oath, a subsidiary of US telecoms firm Verizon which acquired Yahoo’s online assets in June for $4.48bn (£3.4bn) makes clear that the scale of that original 2013 hack was much worse than first thought.

“Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016,” said the firm in its statement.

“At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected,” it said. “Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”

Do passwords have a future in cybersecurity?

View Results

Loading ... Loading ...

Yahoo also said it was notifying all additional affected user accounts and that it continues to work closely with law enforcement.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer of Verizon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

Microsoft. Marissa Mayer, Yahoo

Huge Numbers

The new admission is likely to see additional lawsuits against the new owner, by angry shareholders and Yahoo account holders. It is reported that Yahoo is already dealing with at least 41 consumer class-action lawsuits in US federal and state courts  (before this latest announcement).

Verizon had lowered its offer price by $350m for Yahoo when it had discovered the sheer scale of the data thefts.

And the new discovery has prompted insights from a number of security experts.

“Whilst cybercrime has risen up on everyone’s agenda, the scale of the attack on Yahoo in 2013 only underlines the magnitude of these attacks and the consequences they can have even years later,” said Sarah Armstrong-Smith, Head Continuity & Resilience at Fujitsu in the UK and Ireland.

“When breached, almost without exception all companies issue a statement from the board to reassure investors and the market that security and data protection is taken very seriously,” she said. “The root of the problem is that in truth, it’s not a top priority for many until after a breach. With these latest developments, we’ll likely see the number of lawsuits and claims by shareholders and Yahoo account holders increase.

“And with the implementation of GDPR just round the corner, many businesses will soon find themselves having to pay regulatory fines on top of managing damage to customer relationships, limiting negative press around the brand and tackling inevitably strained stakeholder relations.”

Another expert also commented on the scale of the breach.

“The raw number of compromised accounts increase verges on the ridiculous and loses meaning as we get numbers normally only seen in astronomy,” said Sam Curry, CSO of security specialists Cybereason. “3 billion, 2 billion, 1 billion… how does this have personal meaning when it means half the population of the world?”

“The biggest issue is that this is another blow to our collective privacy: the cost to gain information on anyone plummeted and should be at the forefront of the debate,” he added. “This is effectively compounding the three real issues behind the Equifax breach. Today, everyone should have been working under the assumption that they were affected years ago but may need reminding to watch their identities and credit for abuse.”

Quiz: How well do you know network security?