Yahoo now says that all of its 3 billion users were affected in the 2013 breach, disclosed last year, tripling the total number of victims initially reported. In a filing with the Securities and Exchange Commission (SEC) that itself disclosed a massive cyberattack last month, Verizon, that now owns Yahoo, revealed that "all Yahoo user accounts" were compromised in the biggest breach we have seen so far.
Verizon says everyone who had a Yahoo account was compromised
Last year, Yahoo reported that around 1.5 billion accounts of over 1 billion users had been compromised by a data breach that originally occurred in 2013. The company had disclosed the massive data breach during the final days of its acquisition by Verizon. The new owner of Yahoo now reveals that actually the company had managed to compromise every single account. This puts the total number of affected accounts at around 3 billion, about 40% of the world’s total population.
Verizon disclosed the new findings after an internal investigation into the breach with the SEC earlier this afternoon. The filing revealed [PDF]:
"Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft."
The compromised user data included phone numbers, birth dates, security questions and answers, and "hashed" passwords, Yahoo had revealed on its website following the disclosure last year, adding that the stolen data didn't include "passwords in clear text, payment card data, or bank account information." However, it was later revealed that the encryption technique used was outdated.
In its filing with the SEC today, Verizon said that the company is "committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats".
Chandra McMahon, Chief Information Security Officer at Verizon, said in a statement, "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources."
Earlier this year, the US Department of Justice had charged Russian officials for state-sponsoring the Yahoo hack. Today's news comes four months after Yahoo's acquisition by Verizon Communications for $4.48 billion, down $350 million from the initial offer after Yahoo disclosed the massive data breach..
The company is currently sending email notifications to the account holders who didn't receive the notification earlier as they weren't considered to be impacted by the breach.