The 2013 Yahoo hack – the biggest data breach in history – was three times bigger than previously reported, affecting all three billion of the embattled web giant’s accounts.
The firm announced last night that it learned of the true scale of the hack during an investigation following its sale to US telco Verizon earlier this year.
The breached data included names, addresses, phone numbers and hashed passwords, but no payment card or bank account data. Yahoo has pledged to email all “additional affected user accounts”.
Verizon closed the acquisition of Yahoo in June for $4.5bn, after cutting $300m off the original price in light of massive hacks in 2013 and 2014.
Webroot’s director of threat research, David Kennerley, said he was unsurprised by the announcement:
“It’s incredible news that three billion Yahoo! user accounts were affected by the data breach in 2013, but at the same time probably not a real surprise. The hackers had pretty much free reign over Yahoo systems for a good while – with the breach only being initially disclosed by the company in late 2016.
“All the stolen data, including emails, passwords and security questions, made a potent package for identify theft. The fact that the accounts were compromised for so long means that most of the damage would have already been done before the breach was even discovered.”
Verizon’s CISO Chandra McMahon said in the statement: “Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats.”
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”