Yahoo has announced, though belatedly, that the 2013 hack of its servers had, in fact, compromised every single account that was in use at that time.
Over 3 billion customer accounts of Yahoo were breached by a single hack in 2013, a feat unlikely to be outclassed in the near future.
In December last year, Yahoo announced that a data breach, that occurred in August 2013, likely affected around 1 billion user accounts and compromised sensitive details of Yahoo’s customers including users’ names, email addresses, phone numbers, dates of birth and hashed passwords.
In emails to affected customers, Yahoo also said that the breach also compromised “encrypted or unencrypted security questions and answers”. However, in a fresh revelation, Yahoo has indicated that the number of compromised user accounts could be thrice the number than the company let on last year.
In fact, the breach was so severe that it ended up compromising 3 billion user accounts, which is basically every single user account that existed at the time of the breach.
‘Yahoo notified the users it had identified at that time as potentially affected. We recently obtained additional information and, after analyzing it with the assistance of outside forensic experts, we have identified additional user accounts that were affected. We are now notifying the additional user accounts,’ said Yahoo in a press release.
Yahoo also said that since last year, it has invalidated unencrypted security questions and answers so they cannot be used by hackers to access user accounts.
‘Although the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information, we encourage you to remain vigilant by reviewing your account statements and monitoring your credit reports,’ it added.
‘There will no doubt continue to be mega breaches, but in terms of personal records hacked, we’re unlikely to see anything larger anytime soon,’ says Jeremiah Grossman, Chief of Security Strategy at SentinelOne.
‘And the reason is unfortunate — there really isn’t any bigger targets to go after. The real problem with hackers cracking our passwords lies in society’s general reuse of passwords. As a matter of convenience, millions of people tend to use the same password across multiple accounts, which leaves them even more vulnerable when a breach of this scale occurs,’ he adds.
What this means is that those Yahoo users who used the same passwords in accounts with other email services, may also see their other accounts breached by hackers. With millions of people across the world using the same passwords for multiple accounts, the ultimate effect of any breach is much higher than initially expected.
Rich Campagna, CEO at Bitglass, also wonders how hackers could breach Yahoo’s entire user database in a single hacking attempt. The fact that they could, now shows that a seemingly small gap in security can be devastating and have prolonged business impacts.
‘A breach where virtually all Yahoo users are affected is unprecedented. It’s difficult to imagine any circumstance in which an organisation committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate three billion records without setting off a single actionable alarm,’ he says.
Yahoo had coughed up as much as $16 million to conduct investigations and pay legal fees in Q1 2017 following its disclosure of the massive data breach which compromised over 1 billion user accounts. With the number of affected users rising three-fold, the total costs to be incurred by Verizon, Yahoo’s new owner, could rise to unprecedented levels in the near future.