It took Yahoo three years to realize a data breach had occurred in August 2013 and another 11 months to understand the full scope of user accounts impacted by that breach.
Previously, it was reported that 1 billion user accounts were compromised during the 2013 Yahoo data breach — which was separate from the 2014 Yahoo data breach affecting 500 million users — but a new filing has corrected that number by admitting that all 3 billion user accounts that existed in 2013 were impacted.
Between the initial Yahoo breach disclosure in December 2016 and today, Yahoo was purchased by Verizon for $4.5 billion — after a $350 million discount due to the breach — and is now part of a Verizon subsidiary called Oath.
In a filing to the SEC, Oath admitted the new information regarding the Yahoo data breach was uncovered while the merger was taking place.
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” Oath wrote in its statement. “The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.”
The one billion users originally thought to be affected were already notified by email and Oath said the other users affected by the Yahoo data breach have also been notified by email.
According to Yahoo, the stolen user account information from the Yahoo data breach “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” The company said it “invalidated unencrypted security questions and answers” so they could not be used by malicious actors to access accounts.
What to do
However, if anyone affected reused those same security questions on other accounts, experts urged that they be changed.
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, an information security company headquartered in Framingham, Mass., noted that passwords should also be changed since MD5 hashes are not considered secure.
“While the attack may not have included clear text passwords, or ‘valuable’ data such as card details, as we recently saw in the Equifax hack, the accounts are still at risk, and hackers can do a lot of damage with very little information. Whether you continue to use these accounts today or not, changing your passwords is the only way to guarantee your personal information is secure,” Galloway told SearchSecurity. “The same also goes for Yahoo owned properties, such as Flickr and Tumblr.”
Willy Leichtervice president of marketing for Virsec Systems
Willy Leichter, vice president of marketing for Virsec Systems, an application security company based in San Jose, Calif., told SearchSecurity, “This news will add more fuel to fire for having legal standards on how quickly breach information is revealed and how much detail is required. As we’ve seen with the Equifax hearings, even conservatives are calling for legislation moving in the direction of the European GDPR.”
Rich Campagna, CEO at Bitglass, a cloud access security broker company based in Campbell, Calif., said that having all 3 billion users affected in the Yahoo data breach was “unprecedented.”
“It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm,” Campagna told SearchSecurity. “This goes to show that a seemingly small gap in security can be devastating and have prolonged implications for any business.”
Carl Wright, CRO for AttackIQ, a cybersecurity company based in San Diego, Calif., said “consumers worldwide and shareholders deserve better.”
“It is one thing to deploy security controls, it is completely another thing to know that they are working correctly,” Wright told SearchSecurity. “This is why we believe the best defense is a good offensive — continuously testing your security stack the same way the adversary does.”