All Yahoo accounts hit by 2013 hack
NEW YORK: It was the biggest known breach of a company’s computer network. And now, it is even bigger.
Verizon Communications, which acquired Yahoo earlier this year, said on Tuesday that a previously disclosed attack that had occurred in 2013 affected all 3 billion of Yahoo’s user accounts.
Last year, Yahoo said the 2013 attack on its network had affected 1 billion accounts. Three months before that, the company also disclosed a separate attack, which had occurred in 2014, that had affected 500 million accounts.
Digital thieves made off with names, birth dates, phone numbers and passwords of users that were encrypted with security that was easy to crack.
The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world.
Yahoo sold itself to Verizon for US$4.48 billion in June. But the deal was nearly derailed by the disclosure of the breaches and $350 million was cut from Verizon’s original offer. Yahoo was combined with AOL, another faded web pioneer that Verizon bought in 2015, into a new division of the telecommunications company called Oath.
That investigators did not discover the full extent of the 2013 incident before Verizon closed the deal to acquire Yahoo in June was surprising to outside cybersecurity analysts.
“Frankly, I don’t know how Yahoo got away with this,” said Jay Kaplan, a former Defense Department cybersecurity expert and senior analyst at the National Security Agency who is now the chief executive of the cybersecurity company Synack.
After Yahoo discovered that 1 billion accounts were affected, it should not have been a stretch to consider that all of the company’s user accounts had been compromised, he said. “My guess is that Yahoo was completely ‘owned’ across the board,” Kaplan said.
Verizon said in a statement that, with the assistance of outside forensic experts, it had determined that all Yahoo’s user accounts were affected. The company said it would continue to work closely with law enforcement.
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance security, as well as benefit from Verizon’s experience and resources,” Chandra McMahon, Verizon’s chief information security officer, said. The company said it did not have more to add beyond an additional fact sheet for users.