Yahoo said Tuesday that the number of accounts impacted by a massive security breach in 2013 was three times larger than it had originally announced — meaning all accounts were affected.
Roughly 3 billion accounts were breached, the company now says, up from its earlier estimate of more than 1 billion.
The company has yet to disclose the cause of the breach. The new information emerged after Verizon Communications Inc., which purchased Yahoo’s Internet properties for $4.48 billion in June, received more intelligence about the breach with the help of outside forensic experts.
Analysts believe this is the world’s largest security breach based on the number of accounts affected. Some consumer advocates said it was inexcusable that the information was just being released now.
“It was outrageous that it took (Yahoo) three years on the first announcement, and now it’s unbelievable that a year later that they are saying, ‘Oops, it was three times what we thought,’” said John Simpson of privacy advocate group Consumer Watchdog. “These guys shouldn’t be in the Internet business.”
Information that could have been stolen from the accounts include names, phone numbers, addresses and birth dates. Yahoo said it does not believe credit card, bank account data or passwords in clear text were illegally accessed. But experts caution that even basic information can be used to inflict harm and score big returns.
Phishing, a simple yet wildly effective tactic used by cybercriminals, works best when attackers have enough personal information to present people with authentic-seeming messages — from a bank, Internet service provider, school or even an employer. That makes the recipient more prone to click on a link to malicious software, or malware.
“We treat each one of these attacks as a stand-alone problem, but really, they’re just the launching point of what could come next,” said Oren Falkowitz, CEO of cybersecurity firm Area 1 Security. “Details pulled from your Yahoo account and a Social Security number from the Equifax breach can be put together to make for a very convincing phishing attack.”
Yahoo says that it continues to work with law enforcement, and Verizon says the Yahoo team is taking “significant steps to enhance their security.”
The 2013 breach is part of a series of mishaps for Yahoo, including a 2014 hack that affected at least 500 million accounts. The Department of Justice believes people employed by the Russian government were connected to that hack. The breach was disclosed after Verizon announced it planned to buy Yahoo’s Internet properties, and new terms for the deal were later negotiated, including a reduction in the acquisition price.
After the sale of Yahoo’s Internet properties, the remaining parts were renamed Altaba, an independent firm that oversees investments in companies such as Alibaba. In the sale, Altaba and Verizon agreed to split financial liabilities from the data breaches.
“The agreement with Verizon is unchanged,” an Altaba spokesman said.
U.S. Sen. John Thune, R-S.D., chairman of the Senate’s Committee on Commerce, Science and Transportation, said his group will call on Yahoo to testify about its recent breaches.
“I expect witnesses to think hard about their obligations to consumers and offer a sober assessment of remaining risks that could be the subject of a future announcement,” Thune said in a statement.
Kowsik Guruswamy, chief technology officer at Menlo Security, said that although companies ought to protect users, regulators and lawmakers should do more, too. In Europe, companies must report breaches within the first 72 hours after they learn they have been breached, he pointed out.
California and most other states have passed laws requiring disclosure of certain breaches of personal information, and Yahoo sent two notices to consumers under the California statute, But there is as yet no national law in the U.S. governing the matter.
As a result, consumers lack broad protections from negligent security practices, said Falkowitz from Area 1 Security: “The security industry has been let off the hook on that.”
From 2012 to the day Yahoo was sold, it employed three chief information security officers. In 2013, when Yahoo’s breach occurred, the company didn’t have a permanent information security chief.
Falkowitz, a former National Security Administration analyst, said he cleared out his Yahoo account last year. He said he would advise all those affected — including the additional users who may have just found out their accounts were compromised four years ago — to do the same.
“People need to vote with their dollars and their actions to really push these companies to do (things) differently,” he said.
Still, the breach disclosure last year did not significantly hurt traffic to Yahoo’s websites, and analysts said they did not expect that users will change their minds with Yahoo’s recent announcement.
“One billion versus 3 billion (account) breach won’t make a consumer difference,” said Patrick Moorhead, president of Moor Insights and Strategy. “If consumers haven’t left already, they likely won’t leave.”
How Yahoo’s security breaches unfolded
August 2013: Yahoo experiences a major security breach.
Late 2014: At least 500 million Yahoo accounts are hacked in a separate breach.
July 2016: Verizon says it plans to buy Yahoo’s Internet properties for $4.83 billion.
September 2016: Yahoo discloses information about the 2014 hack.
December 2016: Yahoo publicly says more than 1 billion accounts were breached in 2013.
June 2017: Verizon buys Yahoo’s Internet properties for the reduced price of $4.48 billion.
October 2017: Yahoo says it now believes the 2013 hack breached 3 billion accounts.