Yahoo-oops! All 3 Billion Yahoo Users Were Exposed in 2013 Breach

In a filing with the US Securities Exchange Commission (SEC) on Tuesday, former Google competitor Yahoo! has revealed that all three billion of its users were compromised in the 2013 data breach first disclosed by the company in 2016.

This marks the second revision to Yahoo!‘s breach numbers. When Yahoo! first reported the hack, it put data casualties at the 500 million mark. The company then revised that amount to a cool one billion just two months later—at the time the largest data breach ever reported.

Yahoo! is now owned by Verizon, under the Oath brand, following a 2016 takeover in which the telecom co. paid over $4B for the faltering search biz.

In a brief statement, Oath said that it had “recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts,” that the breach was much bigger than it initially admitted. In fact, “all Yahoo user accounts were affected by the August 2013 theft.”

Stolen user account information included names, email addresses, phone numbers, dates of birth, MD5 hashed passwords, and even encrypted security questions and answers. Luckily, hackers were unable to access payment card data.

While many of the stolen passwords were bcrypt hashed, and thus well protected, affected users are strongly encouraged users to change their passwords, security questions and answers for Yahoo accounts and any other accounts that use the same or similar passwords and security questions. Yahoo is sending email notifications to the additional 2 billion (!!!) affected user accounts.

In March, American prosecutors indicted four men they say were responsible for the hack— two agents of the Russian Federal Security Service (FSB) and two civilian hackers. The DoJ alleges that FSB officers Dimitry Dokuchaev and Igor Sushchin “protected, directed, facilitated and paid” criminal hackers Alexsy Belan and Karim Baratov for the undertaking of massive hacking operation that stretched from 2014 to late 2016. So far Karim Baratov, a Kazakh national and resident of Canada, is the only one of the four accused hackers arrested in connection with the case. He is now in a US jail awaiting trial.

Yahoo! has also been held accountable for the hack—sorta. The company had to knock about $350M off its price tag when selling to Verizon, down from $4.8B to roughly $4.5B. That’s something, I guess. Former CEO Marissa Meyer also lost her job but walked away with a $55M golden parachute, so yeah, not that bad.

The new information begs the question—why did it take four years to figure out the full extent of the breach? And why did Yahootake so long to notify its users in the first place? And why is that exclamation point in italics? Unfortunately, until we get in the habit of holding corporations accountable for inadequate security, the world may never know.

Jeff Edwards
Follow Jeff

Jeff Edwards

Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff

Leave a Reply

Your email address will not be published. Required fields are marked *