The Yahoo breach was already considered to be the largest known hack of user data when it was counted at 1 billion affected accounts. Now, that record-breaking breach has tripled in size.
All Yahoo accounts were affected by a catastrophic breach in 2013, the company confirmed today. Yahoo had previously placed the total at over one billion and has now updated it to a stunning three billion accounts.
The breach, which was attributed to nation-state hackers, occurred in 2013 but wasn’t discovered until 2016. Verizon closed its acquisition of Yahoo this year, after demanding a discount based on the security failure, and merged it with AOL to create a new company, Oath.
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” Yahoo said in a disclosure filed with the SEC. “The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information.”
Yahoo suffered multiple intrusions into its network, losing email addresses, weakly-hashed passwords, and other personal information. Attackers accessed Yahoo’s internal code, enabling them to forge cookies to access certain targets’ email accounts and to place fraudulent links in Yahoo search results.
Yahoo required the previous 1 billion users thought to be affected to change their passwords and security questions. These changes will also be required of the the 2 billion people now known to be included in the breach.
In March, the Justice Department announced criminal charges against several men affiliated with Russian intelligence for the hack.