Yahoo breach affected 3 billion accounts

In 2016, Yahoo announced that up to one billion accounts were affected by a data breach in August 2013, but it has now emerged that the impact was three times greater.

In February 2017, Yahoo accepted a $350m reduction on its original $4.83bn sale to Verizon due to subsequent revelations about data breaches in 2013 and 2014 affecting one billion and 500 million accounts respectively.

Around 43 consumer class-action lawsuits have also been filed against the company, Yahoo said in a May filing with the Securities and Exchange Commission, reports the Guardian.

But nearly a year after the one billion figure was announced, Verizon subsidiary and new owner of Yahoo’s core business, Oath, has revealed that all Yahoo user accounts were affected.

Oath said in a statement: “Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all [three billion] Yahoo user accounts were affected by the August 2013 theft.”

The company also noted that in 2016, Yahoo took action to protect all accounts, including directly notifying affected users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users through a notice on its website.

According to Oath, no new security issues have been uncovered, but it was sending notification emails to all additional affected user accounts.

The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information, the company said, adding that it continues to work closely with law enforcement.

The stolen information did, however, include names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers, which can all be used by cyber criminals to steal identities and commit other crimes.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, chief information security officer at Verizon.

“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

Although the figure dwarfs the recent Equifax data breach affecting 145.5 million US consumers, the breach underlines that data breaches continue to be a challenge that need to be addressed more effectively by boards. 

Independent cyber security advisor Graham Cluley said: “It’s a sorry state of affairs when I find myself more surprised that Yahoo had somehow amassed three billion user accounts by 2013, than the fact that they managed to lose control of their data. What a disaster,” he wrote in a blog post.

Kevin Bocek, chief security strategist for Venafi, said: “Unfortunately, today’s revelation is not surprising. To move such a massive amount of data, the attackers behind the Yahoo breach almost certainly exploited a blind spot in Yahoo’s encrypted tunnels.

“It’s nearly impossible for any organisation to detect unauthorised, encrypted traffic coming in or out of their network unless they have strong cryptography practices. It’s also entirely possible that the attackers that perpetrated the 2013 breach retained access to the Yahoo network and attacked again in 2014.

“This access would allow the perpetrators to empty the bank vault without anyone noticing. Unfortunately, Yahoo’s cryptography practices are not unusual. Undetected exfiltration of large amounts of data is a symptom of weak cryptography practices. We see this in nearly every major data breach.”