October 4, 2017
Yahoo announced yesterday that all 3 billion of its user accounts were affected by a previously disclosed August 2013 cyberattack, originally reported by the company as affecting 1 billion accounts. Yahoo had earlier reported that a separate 2014 attack affected 500 million accounts. Last year we learned that, “digital thieves made off with names, birth dates, phone numbers and passwords of users that were encrypted with security that was easy to crack,” according to The New York Times. “The intruders also obtained the security questions and backup email addresses used to reset lost passwords.”
Yahoo said it has been working with outside forensic experts, and discovered that all 3 billion accounts had been affected. The company is continuing to work with law enforcement.
TechCrunch reports that the new evidence was unearthed after Yahoo was purchased by Verizon. The following is taken from the Yahoo notice:
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information.”
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources,” said Verizon chief information security officer Chandra McMahon.
“Frankly, I don’t know how Yahoo got away with this,” said Synack chief exec Jay Kaplan, who formerly held positions with the Defense Department and National Security Agency. “My guess is that Yahoo was completely ‘owned’ across the board.”
“Investigators believe the attackers behind the 2013 breach were Russian and possibly linked to the Russian government,” notes NYT. “In March, the Department of Justice charged four men, including two Russian intelligence officers, with the 2014 breach” that affected 500 million acounts.
Verizon acquired Yahoo in June, which it combined with AOL to create a new division of telecom company Oath.