The Daily Swig Web security digest

Chaos after the storm: Yahoo data breach found to affect all 3bn customers

James Walker | 04 October 2017 at 16:00

New intelligence sees web giant revise hacked account figures upwards… to 100% of its user base in 2013.

Attempts by Yahoo to recover its damaged reputation have hit another stumbling block, after the web services giant yesterday revealed that every single one of its customer accounts was likely to have been compromised in the August 2013 data theft.

In December last year, the company disclosed that more than one billion of its approximately three billion user accounts were thought to have been affected by the high-profile hack, which is considered to be the largest discovered in the history of the internet.

Now, however, following Verizon Communications’ $4.48 billion acquisition of the world’s third-biggest search engine and the integration of the business into the group’s newly-formed Oath subsidiary, Yahoo said it had obtained new intelligence that indicated all three billion user accounts were compromised.

“Following an investigation with the assistance of outside forensic experts, [the company now believes] that all Yahoo user accounts were affected by the August 2013 theft,” the group said in a statement.

In 2016, Yahoo took action to protect the one billion accounts it then considered to have been compromised, including directly notifying impacted users identified at the time, requiring password changes, and invalidating unencrypted security questions and answers so that they could not be used to access an account.

This action is being replicated in light of the new intelligence, with Yahoo stating that it was sending email notifications to the additional affected user accounts.

“The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information,” said the group. “The company is continuing to work closely with law enforcement.”

Following Yahoo’s revelation, the National Cyber Security Alliance (NCSA) emphasized the importance of staying safe online.

“Major data breaches – which, like the Yahoo event, can affect billions of people – remind us that we must be vigilant in protecting our personal online information,” said Michael Kaiser, executive director of the NCSA.

“An easy first step for everyone to better secure all email, social media and financial accounts, is to ‘lock down your login’ with security tools such as multi-factor and strong authentication, which provide an additional layer of protection.”