All 3 billion Yahoo user accounts were involved in the 2013 data breach
Last year was a stressful one for those involved in user security at Yahoo. In September 2016 they announced that they detected their systems had been breached in 2014, affecting 500 million user accounts. This was the largest data breach at the time. Three months later in December 2016, Yahoo announced that they had found evidence of a more significant breach in 2013 which compromised one billion user accounts, breaking their own record for the largest leak of user details. Yahoo lost this record in early 2017 when the spam group “River City Media” leaked 1.37 billion email addresses due to an incorrectly secured backup.
Today Yahoo claims back their crown by smashing all previous records. They have announced that as a part of the data interrogation done for the Verizon acquisition they discovered that the 2013 breach had been much larger than previously realized. The number of affected user accounts has been revised to include all three billion Yahoo users who held accounts in 2013. This new information means that if you have ever had a Yahoo account, then you were probably caught up in this leak.
Yahoo, who is now a part of the Verizon subsidiary Oath, would like to stress that key pieces of information were stored in an encrypted form. “The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information.”
Verizon has made a statement regarding the security of users of Yahoo-branded products going forwards. "Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer, Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
This new information reveals how difficult and complex the intrusion was to assess, and how management is still trying to get their head around the scope of the problem. Let’s hope that no one takes this crown from Yahoo any time soon.