In today’s seucity news, one of the biggest breaches in companies’ networks is now even bigger, the 2013 Yahoo breach affected all three billion Yahoo’s users accounts, not just one billion accounts.
NEW YORK, N.Y., October 3, 2017-Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.
Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Additional information regarding this issue is available on the Yahoo 2013 Account Security Update FAQs page, https://yahoo.com/security-update.
The statement clearly says that if you had an account on Yahoo in 2013, you were affected by the data breach.
Our recommendation after these security news? If you did not change your password last year after the disclosure of the 2013 Yahoo breach, you should now change your passwords immediately and enable two-factor authentication (2FA).
In addition, if you are using the same password or password recovery questions/answers somewhere else, you should change those too.
Now if you think you can just delete the account and be safe, think again. Yahoo closes accounts 30 days after users’ requests. That would give hackers enough time to do some serious damage.
Email notifications requesting password changes are being sent to the additional user accounts. Verizon said passwords in clear text, payment card data and bank information was not among the information stolen.
Verizon purchased Yahoo in a $4.5 billion deal that closed in June. The deal’s price was cut by $350 million after Yahoo’s initial revelations of the data breaches. The revised transaction terms called for Yahoo and Verizon to share equally any future legal costs resulting from the 2013 Yahoo breach. Yahoo would be solely responsible for liabilities stemming from shareholder lawsuits and any investigations by securities regulators.