New intelligence reveals the largest data breach in history was even bigger than first thought.
Yahoo has announced that all three billion of its accounts were affected by a hack in 2013, tripling the number of victims of data breach already considered the largest in industry history.
In December last year Yahoo publicly disclosed that more than one billion user accounts had been affected by a breach on their systems, leading to US$350 million being wiped off the takeover deal by Verizon.
However, Yahoo, a company formed during the earliest days of the internet, has now “obtained new intelligence” that suggests that all three billion of its user accounts were breached.
Announcing the results of a recent investigation, a company statement by Verizon subsidiary Oath said that stolen information included names and addresses, but that passwords stored in plain text, and credit card or transaction information remained secure. The company said it continues to work closely with law enforcement agencies and forensic experts.
“In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account,” Yahoo said in the statement.
Unfortunately, experts claimed in December that encryption technologies used on the passwords were out of date and could be easily bypassed, and that password recovery questions and linked email addresses were included in the data dump, increasing the likelihood that other accounts could be targeted.
The new development will likely have significant legal implications for Verizon, who secured Yahoo in June for US$4.48 billion. As part of those terms, Verizon agreed to share regulatory liabilities for both the 2013 data breach, and a second data breach revealed to have affected 500 million accounts in 2014.
Verizon's CISO Chandra McMahon said that the company is “committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats”.
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources.”
However, Yahoo currently faces as many as 43 class-action lawsuits from both the 2013 and 2014 hack, according to a company filing in May, a figure that is almost certainly going to increase. John Yanchunis, the lawyer representing Yahoo customers, said the cases had stalled because a federal judge required more information to legal justify the claims of his clients.
Speaking to Reuters, Yanchunis said: “I think we have those facts now. It's really mind-numbing when you think about it.”
In response to the news, US Senate chairman John Thune said that a hearing will be held later in the month that will cover two massive data breaches at both Yahoo and Equifax, according to Recode. In those reviews, the Senate will decide whether “new information has revealed steps they should have taken earlier, and whether there is potentially more bad news to come.”