After it was first discovered the 2013 Yahoo data violation was quickly found to have affected many of the company’s customers and in December 2016 it was announced that 1 billion accounts had been compromised.
In September 2016, prior to that announcement, a separate breach was discovered that affected approximately half a billion email accounts. Now Verizon, which completed the purchase of Yahoo in Summer 2017, has found the 2013 Yahoo date breach was far worse than originally imagined.
It is now believed that all Yahoo accounts were affected, roughly 3 billion email accounts – every account that was active at the time of the breach. The hackers are understood to have accessed to the accounts using forged cookies.
Verizon revealed in the last few days that during the integration of Yahoo into its Oath subsidiary, external forensics experts found new intelligence showing that all email accounts had been violated and an additional 2 billion email accounts had been compromised. All of the additional accounts have been sent an email alert advising them that their accounts may have been violated.
While clear text passwords were not obtained, it is still possible that email accounts could still be accessed. Passwords were hashed, although the method employed was not particularly secure – Yahoo used the MD5 algorithm, which has since been shown to be dangerous. That said, even at the time MD5 was not an industry best practice. Additionally, plain text security questions were seen by the hackers along with User IDs and backup email address details.
The number of accounts accessed by the hackers responsible for the attack remains unknown, although one of the hackers involved is thought to have accessed to at least 6,500 accounts.
After the data breach was discovered in 2016, Yahoo issued a forced password reset on all users’ accounts so it is unlikely that the latest announcement will have any additional impact on account holders, but it will almost certainly lead to more consumers joining the 40 or more class action legal cases that have already initiated following of the 2013 Yahoo data violation.