The nightmare that is Yahoo’s largest data breach in history seems to never end. Nearly a year after the disclosure was made, it seems that further investigation into the 2013 data breach has revealed that it wasn’t “just” 1 billion accounts affected, but 3 billion – or all of them. If you had a Yahoo account in 2013, whether it was email, Flickr or fantasy sports, it was all exposed.
Yahoo’s most recent notice discloses that new evidence indicates that all of its three billion accounts were impacted, not just the 1 billion it was previously reported back in December 2016. Conveniently, the discovery was made after the Verizon acquisition went through. Yahoo merged with AOL and is now a part of Oath.
The company is trying to mitigate the new discovery saying that it has taken steps to protect all accounts following the 2016 disclosure, including notifying impacted users that were identified at the time, asking them to change their passwords, and invalidating unencrypted security questions and answers so they could not be used to access the account.
Everyone should know that their Yahoo accounts, pretty much all their personal information was exposed – names, email addresses, telephone numbers, dates of birth, MD5 hashed passwords, and, for some, encrypted and unencrypted security questions and answers. That’s everything.
“The investigation indicates that the information that was stolen did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected,” Verizon said.
Yahoo’s white lie
The problem with this statement is that it says the breach did not include “passwords in clear text,” which is accurate to some extent. The thing is MD5, which was used to “protect” them, is not exactly an encryption method, it’s a hash; a hash that has been proven time and time again as an inefficient method to hide passwords. Therefore, you can pretty much consider those passwords you had protecting your Yahoo account equal to zero. Sure, you probably (hopefully) changed your Yahoo password in the last four years, but what are the chances you used the same password elsewhere? Pretty high, right?
Once more, this discovery is quite convenient for Yahoo. Not only did the company take three years to discover it had been hacked, and to what extent, it only disclosed 1 billion accounts were involved in the breach, back in December 2016. The company, at the time, was already involved in an acquisition procedure with Verizon, initially valued at $4.83 billion. Following the disclosure of the data breach, Verizon wanted to shave a reported $925 million off the deal, but only got away with $350 million after negotiations.
Yahoo provided some guidelines as to what to do to secure your account, but considering how much time has passed since the data breach, it’s probably for nothing. Either way, make sure to change your password and security questions and answers, review your account for suspicious activity and be careful of any communications you receive asking for personal information. Of course, avoid clicking just on any link you get via email. Enabling two-step authentication is also a good way to secure your accounts, be them Yahoo or from somewhere else.