Yahoo Triples Estimate of Breached Accounts to 3 Billion
By Robert McMillan and Ryan Knutson
A massive data breach at Yahoo in 2013 was far more extensive than previously disclosed, affecting all of its 3 billion user accounts, new parent company Verizon Communications Inc. said on Tuesday.
The figure, which Verizon said was based on new information, is three times the 1 billion accounts Yahoo said were affected when it first disclosed the breach in December 2016. The new disclosure, four months after Verizon completed its acquisition of Yahoo, shows that executives are still coming to grips with the extent of the security problem in what was already the largest hacking incident in history by number of user accounts.
A spokesman for Oath, the Verizon unit that now includes Yahoo, said the company determined within the past week that the break-in was much worse than thought, after it received new information from outside the company. He declined to elaborate on that information. Compromised customer information included usernames, passwords, and in some cases telephone numbers and dates of birth, the spokesman said.
Several other major cyberattacks recently have focused attention on the vulnerability of big companies that possess enormous amounts of vital personal information about their customers.
On Tuesday, lawmakers slammed former Equifax Inc. Chief Executive Richard Smith for his company's handling of a data breach that affected more than 140 million consumers. The Securities and Exchange Commission and the accounting firm Deloitte also disclosed major hacks in recent weeks.
The number of individuals affected by the 2013 attack is smaller than 3 billion, because some people have multiple accounts across Yahoo's sites, including email, fantasy sports, Tumblr and Flickr, the spokesman said. He said Oath will immediately begin notifying by email users who own the additional roughly 2 billion accounts. That is expected to take several days, he said.
Victims won't need to take additional action, however, because Yahoo already forced all account holders to reset their passwords after the December 2016 disclosure.
Verizon's chief information security officer, Chandra McMahon, said in a statement that the company is "committed to the highest standards of accountability and transparency" and that Yahoo's cybersecurity team was benefiting from Verizon's "experience and resources."