The massive Yahoo cyberattack was recently reported to have impacted 500 million users. Yahoo also claimed that the attack appeared to have been conducted by a nation-state backed hacker. However, security experts have questioned that claim, as the facts about the Yahoo cyberattack that have been released so far do not tally with a state-sponsored attack.
Now, a former Yahoo executive has spoken out about the attack and says the Yahoo breach could have affected substantially more users. In fact, more than twice as many users could have been affected. The breach is already the largest ever discovered, yet more than 1 billion users may have been affected. In an interview with Business Insider, a former executive at Yahoo said that the architecture of Yahoo’s systems is such that a breach would likely have compromised many more user accounts.
While the individual is no longer employed at Yahoo, she claims to have been in touch with an individual that was involved in the breach investigation and says “How they came up with 500 is a mystery.”
According to the breach notice issued by Yahoo, at least 500 million users were affected. The insider claims the breach could actually impact up to 3 billion current and former users. The problem appears to be how Yahoo authenticates users that log in to all of its services. Since usernames and passwords are verified using a central user database containing all records, a breach is likely to have exposed the lot. There were as many as a billion active users at the time of the breach, and many more former or lapsed users that had not deleted their accounts.
It is possible that the database was compromised and only a percentage of user accounts were stolen. Yahoo could even have identified the breach and stopped the exfiltration of data. The investigation into the breach is ongoing, but without further information on how the breach occurred, exactly how many accounts were compromised, or how the data were accessed and when the breach was discovered, the scale of the Yahoo cyberattack will remain a mystery. One thing that is certain is this was the largest ever reported data breach.