HACKERS stole personal data from all three billion Yahoo user accounts during a cyberattack in 2013, the tech giant has revealed. This gigantic digital assault is considered the largest in the history of the internet – even when it was originally estimated to have hit one billion accounts.
Now Yahoo has tripled its estimate of the number of accounts affected.
The company initially said that personal information including names, email addresses and security questions relating to one billion accounts were all accessed by a “third-party”.
It was later claimed that a database containing one billion Yahoo account holders’ personal information was being sold by Eastern European crooks on the Dark Web for £300,000.
External forensic experts were brought in following Yahoo being acquired by Verizon, and the company has now tripled the number of accounts it believes were compromised.
A statement said the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information and that all affected customers have been contacted.
The company’s chief information security officer Chandra McMahon said: “Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats.”
The breach now affects a number that represents nearly “half the world,” said Sam Curry, chief security officer for Boston-based firm Cybereason, though there’s likely to be more accounts than actual users.
“Whether it’s 1 billion or 3 billion is largely immaterial. Assume it affects you,” Curry said. “Privacy is really the victim here.”
Yahoo had already made users change their passwords and alter their security questions to remove sensitive information such as the maiden names of their mothers or other private details used to verify their identity.
The disclosure is also a huge embarrassment for Verizon, which has just started running TV ads for its new subsidiary Oath, which will consist of Yahoo and AOL services.
Companies often don’t know the full extent of a breach and have to revise statements about how it affects customers years later, said Ben Johnson, co-founder and chief technology officer for Obsidian Security, based in Newport Beach, California. Johnson said Yahoo might never know exactly what was accessed.
“The fact is attackers are having field days and the problem is only going to get worse,” he said.