While the 2013 Yahoo data breach was soon known to involve many of the company’s customers, it became apparent in December 2016 that 1 billion accounts had been compromised.
Before that in September 2016, a separate breach was discovered that involved around half a billion email accounts. Now Verizon, which finalized the purchase of Yahoo this summer, has discovered the 2013 Yahoo date breach was far worse than initially thought.
Instead of 1 billion accounts, it is now thought that all Yahoo accounts were compromised. That’s 3 billion email accounts; every account that had been created at the time of the breach. The attackers are understood to have gained access to the accounts using forged cookies.
Verizon announced this week that during the integration of Yahoo into its Oath subsidiary, external forensics experts obtained new intelligence suggesting all email accounts had been breached and a further 2 billion email accounts had been compromised. All of the additional accounts have been emailed with a warning advising users that their accounts may have been compromised.
While clear text passwords were not stolen, it is still possible that accounts could still be accessed. Passwords were hashed, although the method used was not particularly secure – Yahoo used the MD5 algorithm, which has since been shown to be unsafe. That said, even at the time MD5 was not an industry best practice. Additionally, plain text security questions were obtained by the hackers along with User IDs and backup email addresses.
It is not known how many accounts were accessed by the hackers responsible for the attack, although one of the hackers involved is understood to have gained access to at least 6,500 accounts.
Following the discovery of the massive data breach in 2016, Yahoo forced a password reset on all users’ accounts so it is unlikely that the latest announcement will have any further impact on users, but it will almost certainly result in even more consumers joining the 40 or more class action lawsuits that have already filed in the wake of the 2013 yahoo data breach.