5 things you need to know as Yahoo data breach rises to 3bn accounts

4 Oct 2017

Yahoo offices, San Francisco. Image: Todd A Merport/Shutterstock

Verizon’s digital division Oath says Yahoo breach in 2013 was three times bigger than originally reported.

The massive data breach at Yahoo in 2013 was more extensive than originally believed with some 3bn user accounts affected – not just the 1bn accounts Yahoo first disclosed in December 2016.

The latest disclosure comes four months after Verizon completed its acquisition of Yahoo.

The original revelation threatened the $4.4bn takeover of Yahoo by US telecoms giant Verizon, and saw the deal close for some $350m less than what Verizon was originally prepared to pay.

The price for Yahoo, one of the original forerunners of the internet economy, had fallen a long way from the more than $40bn Microsoft had been willing to pay several years earlier before bungling by Yahoo leadership saw Microsoft walk away from the table.

1. Have you been affected?

If you have a Yahoo, Tumblr or Flickr account then, most likely, yes. In all, some 3bn accounts were affected by the breach. Compromised customer information included usernames, passwords and, in some cases, telephone numbers.

Verizon said that the user information that was stolen did not include passwords in clear text, payment card data or bank account information.

All affected users have been contacted.

2. You don’t need to take action

Victims won’t need to take action because Yahoo alredy forced account holders to reset their passwords.

In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes, and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.

3. The number of individual users affected may not be as high as 3bn

Oath, the new division that oversees Verizon’s internet businesses including AOL and Yahoo, said that after the acquisition had been concluded, the company obtained new intelligence and believes – with assistance from outside forensics – that all Yahoo user accounts were affected, including Tumblr, Flickr, email and fantasy sports.

The number of individuals affected, however, may be smaller than 3bn because often the same individuals held multiple accounts on the various services.

4. This data breach could be a sign of bigger things to come

It is a worrying sign that large companies with vast numbers of users are falling prey to hackers.

The latest revelation comes just days after the CEO of Equifax stepped down over the company’s handling of a data breach that saw 140m credit card customers’ details stolen by hackers. It also comes in the wake of data breaches at the Securities and Exchange Commission and accounting firm Deloitte.

5. Oath pledges to step up security

Verizon, which is transforming into a digital giant and not just a telecoms player, said it is stepping up efforts to ensure users are protected. The company has forged all its consumer divisions – including AOL and Yahoo – under one brand called Oath and knows that the trust of its user community is paramount.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, chief information security officer at Verizon.

“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

Yahoo offices, San Francisco. Image: Todd A Merport/Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years