All 3bn Yahoo users affected by 2013 breach

By Dylan Bushell-Embling
Friday, 06 October, 2017

The data breach Yahoo was hit by in 2013 was far more severe than previously thought, with the personal details of all 3 billion of its users compromised in the attack.

Yahoo revealed in an FAQ that it has obtained data indicating that “all accounts that existed at the time of the August 2013 theft were likely affected”.

When Yahoo originally discovered and disclosed the attack in December last year, the company estimated that an unauthorised party “stole data associated with more than one billion user accounts”. But additional information analysed with the help of outside forensic experts has prompted Yahoo to disclose that all accounts were likely affected.

This has given Yahoo the dubious distinction of setting yet another record for the biggest disclosed data breach of all time.

The December announcement when it was thought that only around 1 billion accounts were affected was a record, and this disclosure came just a few months after Yahoo disclosed that the details of at least 500 million users were stolen in 2014.

In both incidents, stolen information may have included names, email addresses, telephone numbers, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

Since the initial disclosure of the breach, Yahoo has required users to change their passwords and has invalidated unencrypted security questions. But in February, Yahoo disclosed that forensic experts had discovered that forged cookies were being created to help attackers access users’ accounts without needing a password.

Follow us and share on Twitter and Facebook