Yahoo now says all 3 billion accounts breached in 2013 hack

04 Oct 2017

Internet pioneer Yahoo on Tuesday admitted that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate one million accounts and sharply increasing the legal challenge of its new owner, Verizon Communications Inc.

According to the company, all of its 3 billion accounts were impacted, not 1 billion as earlier thought, including all people who have Yahoo emails, and all people who had registered for any other Yahoo service like Flickr or fantasy sports.

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders. Yahoo already faced at least 41 consumer class-action lawsuits in US federal and state courts, according to company securities filing in May.

Yahoo, now part of Verizon subsidiary Oath, also announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on 14 December 2016. At that time, Yahoo had said more than one billion of the approximately three billion accounts existing in 2013 had likely been affected.

Yahoo was acquired by Verizon for $4.5 billion and merged with AOL and made it a part of Oath Inc, a fully-owned subsidiary of Verizon Communications' Media and Telematics division.

However, in 2016, Yahoo said it took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.

Yahoo said the revelations came subsequent to its acquisition by Verizon, and that during integration, the company obtained new intelligence and following an investigation with the assistance of outside forensic experts, it has now come to light that all Yahoo user accounts were affected by the August 2013 theft.

While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information, a company filing said.

Yahoo said it is continuing to work closely with law enforcement.

"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, chief information security officer, Verizon.

"Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."

According to attorneys, the news would likely add to the number and claims of class action lawsuits by shareholders and Yahoo account holders.