The massive data theft from Yahoo in 2013 is even bigger than first thought. It was big enough when it was believed to have affected around a billion users, but Yahoo has now provided an update indicating that the number is in fact three billion. Or, to put it another way, every single Yahoo user.
Yahoo, now part of Oath, has issued a statement in which it stresses that the updated figure does not represent "a new security issue" and that plaintext passwords were not accessed. The biggest data breach in history just got even bigger, and it's going to take a lot for Yahoo, Oath and Verizon -- the new owner -- to move on from it.
Anyone who has been affected by the breach -- that is, anyone who has ever had a Yahoo account -- should receive a notification from the company advising them about what has happened. The fallout from the hack has already been tough on Melissa Mayer who gave up her cash bonus last year. There have also been a number of lawsuits started against the company.
In a statement on the Oath website, Yahoo says:
Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.
Security experts are less than impressed with Yahoo's handling of the situation. Ilia Kolochenko, CEO of web security company High-Tech Bridge says:
Taking into consideration that the integrity of Yahoo user accounts was compromised, one can reasonably infer that Yahoo ignored the fundamental principles of access segregation, continuous security monitoring and related security processes. Therefore, it’s a bit hard to believe that sensitive information related to these accounts remained safe. Moreover, even hashed passwords can be bruteforced and then leveraged by the attackers. Information like date of birth or answer to secret question(s) can be a universal door-opener for cybercriminals. Anyway, Yahoo has already learned a very hard lesson and served an example to others that cybersecurity is pivotal for digital business.
Chandra McMahon, chief information security officer at Verizon says that its investment in Yahoo means that significant improvements have been made to security.