If you had an account on Yahoo back in the days of August 2013, then it is most probably one of the 3 billion email accounts that were hacked in one of the biggest data theft feats of that time. It was this particular data hack that forced Yahoo to lower its assets price when it was being sold to Verizon in February 2017 since the buyer lowered the original offer by $350 million.
According to Verizon, Yahoo’s parent company, this massive hack did affect every single Yahoo account holder, but the figure is three times higher than what was previously believed and reported in 2016. In December 2016, Yahoo issued a statement that just 1 billion accounts were compromised in the 2013 data hack. But, later the company initiated a thorough investigation in collaboration with Verizon, law enforcement agencies, and cyber-security firms to identify the full scope of the data breach.
“The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” explained Verizon. The company did not provide information about the “outside forensic experts” though.
On Tuesday, Yahoo stated that all the 3 billion accounts on Yahoo, which included Tumblr, Yahoo Email, Flickr, and Fantasy, were hacked after the company became a victim of huge data theft. This is undoubtedly the largest data breach in digital history as far as the size of stolen data is concerned.
It is being speculated that every single account holder is affected by this breach while last year Yahoo claimed that the data hacked includes email addresses, names and passwords only and financial information was not stolen. Still, it is unclear who perpetrated the hack attack against Yahoo back in 2013. In March 2017 HackRead exclusively reported that the stolen data was being sold at the murky network Dark Web.
As per Yahoo, the hacked information didn’t include clear text passwords, bank accounts info and payment card data. However, it is also a fact that outdated security protection and encryption that was easy to be cracked were used for data protection at Yahoo. The data was protected through security questions and backup email IDs. This would make it convenient for hackers to hijack other accounts of affected users who have linked a single email ID with various platforms.
This is not out of the ordinary to obtain detailed information about the number of affected individuals in data breach cases like these after some time has passed. According to Thomas Fischer, Global Security Advocate at Digital Guardian, this is a norm with breaches but those that are conducted on a smaller scale. Still, it is unclear who perpetrated the hack attack against Yahoo back in 2013.
“The issue here is that account details were compromised without the victims being alerted, leaving them vulnerable to phishing attacks and other forms of social engineering over the last four years. Mass data breaches like this are a treasure trove for malicious attackers. Using the compromised login details, hackers may have attempted to hijack the email accounts to steal more data, or target the victims’ friends, family, and place of work.” said Fischer.
The news has prompted another series of class action lawsuit claims coming from Yahoo account holders and shareholders, which greatly increases problems for the company that is already facing nearly 41 consumer class-action lawsuits in not just US state courts but federal courts as well. However, in this particular case, as per the attorney representing affected Yahoo users John Yanchunis, the federal judge has asked for more evidence and information in order to justify claims of his clients. Yanchunis stated that they have the required facts now, which will provide “mind-numbing” information.
On the other hand, Yahoo official claims that the 3 billion figure also includes accounts that were created but never activated or were briefly used, some were never used. Yahoo is now notifying the additional affected users through email.
Carl Wright, CRO, AttackIQ said that “This is yet again an epic failure. It is time to try something new – seriously, find protection failures before the adversary does. Consumers worldwide and shareholders deserve better. It is one thing to deploy security controls, it is completely another thing to know that they are working correctly. This is why we believe the best defense is a good offensive – continuously testing your security stack the same way the adversary does.”
Yahoo, now known as Oath, has also noted that it has already implemented necessary steps to ensure the protection of its users. In 2016, the year when the data breach was discovered, Yahoo performed the impending password change of all accounts and quashed old security questions and answers.