Yahoo’s massive 2013 data breach, affecting more than one billion of its user accounts, reappeared this week with significantly worse numbers.
The company announced Tuesday that all 3 billion of its accounts were, in fact, affected at that time–leaving additional billions of user accounts vulnerable in the interim.
The revelation follows Yahoo’s acquisition by Verizon, which paid $4.8 billion for the struggling company in hopes of combining it with AOL to create a new entity named Oath. New intelligence prompted a forensic analysis which subsequently led to Tuesday's revision.
“While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement,” the announcement said in a statement.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” added Verizon Chief Information Security Officer Chandra McMahon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Protecting stolen information
In an FAQ section of its security update web page, Yahoo says that stolen information involved in the 2013 breach may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and (in some cases) encrypted or unencrypted security questions and answers.
To counter the breach, Yahoo required potentially affected users to change their passwords and invalidated unencrypted security questions and answers last December.
However, in light of the recent revision, the company says that all users should change their passwords and security questions, review their accounts for any suspicious activity, and use an abundance of caution when clicking or downloading unsolicited messages, links, or attachments. The company also advises using its Yahoo Account Key authentication tool.
Users are also free to switch to a different email service, but continuing to monitor accounts and personal information will still be just as necessary either way.
Largest breach to date
The latest announcement multiplies what was already the largest data breach in history, and will almost certainly mean more litigation for both Yahoo and Verizon.
In late August, U.S. Judge Lucy Koh ruled that class actions over the breach would be allowed to move forward. While she dismissed some parts of one particular case, she said that Yahoo’s actions “alleged risk of future identity theft” and “loss of value of [users’] personal identification information.”
Koh also said that plaintiffs would be well within their rights to pursue breach of contract and unfair competition charges against Yahoo because they would have been able close their accounts if they had known about the data breach earlier.