Yahoo Breach Update: Every single Yahoo account was impacted by the 2013 breach, now three times larger than initially reported
The Yahoo data breach incident that happened in 2013 was initially reported to have only impacted 1 billion users at the time making it the largest data breach in history. However, it has just been announced that the impact was, in fact, much worse as the massive data breach affected not just 1 billion but all 3 billion Yahoo users.
In addition to those who registered Yahoo email addresses, anyone with accounts for Yahoo-owned services like Flickr, Tumblr or Yahoo fantasy sports leagues are also included in the 3 billion records impacted.
The company, now part of Oath under the recent Verizon acquisition, disclosed that this new information came to light during the integration of the companies. Oath released a statement today highlighting the details of the breach and corrective measures being taken:
“While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.”
You should take the time now to secure your Yahoo account and migrate any personal or sensitive data to a more protected source even if you do not intend to continue using Yahoo or its other services. You should also do the following immediately:
- Please change your passwords, security questions and answers for any accounts with the same or similar credentials to something unique and complex, especially your Yahoo account and accounts containing sensitive data.
- Avoid and be cautious of any unexpected emails (or other communication channel) in which you’re asked for personal information or suspicious links to places asking for personal information.
- Use a password manager to help you manage new and complex passwords for your accounts. Dashlane Password Manager allows for unlimited password storage and access, you can get it here now for free.
Read the full statement from Oath and Yahoo below:
NEW YORK, N.Y., October 3, 2017-Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.
Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Additional information regarding this issue is available on the Yahoo 2013 Account Security Update FAQs page, https://yahoo.com/security-update .