Yahoo announces 2013 hack hit the accounts of all 3 billion users
SAN FRANCISCO - All 3 billion of Yahoo’s users as of 2013 were affected by a data theft the company originally said had only affected 1 billion users, Yahoo said Tuesday.
That makes the Yahoo hack far and away the largest in history.
The additional 2 billion data theft victims came to light as Yahoo was being integrated with Verizon, which bought the company in June for $4.5 billion.
“During integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” the company said in a statement posted Tuesday on its website.
Verizon negotiated down its purchase price for Yahoo by $350 million because of two massive breaches the online media company suffered. The first, in 2013, was believed to be the largest reported data breach ever, involving the theft of data associated with more than 1 billion user accounts. Yahoo revealed that breach in December 2016.
The other breach, which occurred in 2014 and was revealed by Yahoo in September 2016, affected at least 500 million Yahoo accounts and was believed to have been the work of a state-sponsored actor.
The revelation isn’t a huge security issue for the company or for users, though it is a black eye at a time when cybersecurity is in the limelight because of the Equifax hack. The 2016 investigation found that the stolen user account information did not include passwords in clear text, payment card data, or bank account information.
Yahoo said it would send email notifications to the additional affected user accounts.
Yahoo disclosed in November that law enforcement officials had given it data files showing what appeared to be evidence that an unknown third party had access to Yahoo user data. At the time, Yahoo brought in outside forensic experts and confirmed that the data was in fact from Yahoo users.
Yahoo said in 2016 it did not know who was behind the theft. The company said it didn’t know when they had gained entry to its network or how long they were there before they stole the user information.