Yahoo has revised its report of a 2013 security incident by clarifying that the event exposed every one of its three billion user accounts.
On 3 October 2017, Yahoo published an update about an August 2013 security incident that it believed at the time of its disclosure in December 2016 had affected one billion out of its three billion user base. As quoted in a statement published by Oath, a digital and mobile media company that facilitates Verizon’s ownership of Yahoo:
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”
At this time, Yahoo is working to notify all of its additional two billion users that the security incident exposed their personal information including their names, telephone numbers, dates of birth, and hashed passwords as well as their security questions and answers in encrypted and unencrypted form. The web services provider says the breach did not compromise other sensitive data such as cleartext passwords, credit card details, or banking information.
Yahoo went on to confirm that it continues to assist law enforcement personnel with their investigation of what happened in August 2013.
Jason Hart, chief technology officer of data protection at Gemalto, is disheartened to hear of Yahoo’s update:
“According to Gemalto’s latest Breach Level Index, 918 data breaches led to 1.9 billion data records being compromised worldwide. Using what we currently know about this latest Yahoo breach, this would be the largest data breach of all time. While it is ‘news’ that Yahoo is making another announcement about its 2013 breach, it should be more concerning that it’s taken almost four years to get to the bottom of a breach of this magnitude. It speaks to the amount of work we in the security industry still need to do.”
Hart went on to explain that companies can protect themselves against breaches such as those that struck Yahoo by adopting a data-centric view of digital threats. This approach necessitates the implementation of moving data security controls closer to the data itself and the users accessing information using data encryption, secure key management, and multi-factor authentication services.
To learn more about Yahoo’s August 2013 security incident, please click here.
To download the entire Breach Level Index findings for the first half of 2017, click here.