Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! 'just!' 1bn!

Every user pwned, how's that $4bn looking now, Verizon?

66 Reg comments Got Tips?

With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide.

In a filing on Tuesday to America's financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the total number of user accounts illegally accessed by hackers in 2013 wasn't the 500 million earlier reported, nor the one billion it later confessed, but all of them – all three billion accounts.

The miserable web giant said that following its 2016 takeover by Verizon – which has its own security consultancy – it "recently obtained new intelligence" that indicated that the network intrusion was much larger than had previously been thought. In fact, it was as large as it could be.

That means account records – including names, addresses, phone numbers, and weakly hashed passwords – for three billion accounts worldwide were exposed to hackers. In its statement today to the SEC, Yahoo! admitted:

Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” added Chandra McMahon, chief information security officer for Verizon.

“Our investment in Yahoo! is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

Despite their words, Verizon management are most likely seething about the news. When the initial hack was disclosed, the telco managed to knock $350m off the $4.8bn asking price for the company. Had it known about the size of the actual hack it could have got a considerably bigger discount.

As for the hackers themselves, the US authorities have indicted four men over the infiltration. American prosecutors claim the hack was ordered by the Russian intelligence services and carried out by hackers-for-hire. One of those alleged miscreants is now in a US jail awaiting trial.

You'd also imaging Yahoo!'s erstwhile CEO isn't too bothered. After negotiating the deal Marissa Meyer laughed all the way to the bank with a $55m golden parachute, and is now reportedly looking around for another challenge before retiring. Equifax needs a new CEO – just saying. ®

PS: Don't delete that Yahoo! account: park it...


Keep Reading

Google offers first part of its in-house M:N thread code as open source to Linux kernel

If this fine-grained thread control tech can run The Chocolate Factory, imagine it unleashed in Android

Google forges Open Usage Commons to manage open-source project trademarks, lobs hot-potato Istio at it

Marks for Angular and Gerrit also handled by org designed to provide 'guidance' to industry

Battle for 6GHz heats up in America: Broadcasters sue FCC to kill effort to open spectrum for private Wi-Fi

Big Tech pushes back, says band use Hertz no one

FCC sucks its teeth, clicks its tongue, says: Yeah, AT&T, Sprint, T-Mobile US, Verizon gleefully sold your location data. Guess we should fine them?

How much you make, Randy? Wanna cough up, I dunno, twice that or something?

Ooh, watch out Google. You've got competition. Verizon has a new 'privacy-focused' search engine

Yep, the Verizon that sold subscribers' location data

White elephants in the mist: Google's upcoming Pixel 4A may ship without Soli motion recognition, per FCC filing

Stripping radar-based tech would cut price and allow phone's sale in markets where 60GHz spectrum is restricted

If you wanna make your own open-source chip, just Google it. Literally. Web giant says it'll fab them for free

Plus: IBM emits BlueGene/Q CPU blueprints – and 'fastest' open-source RISC-V core emerges

Beloved US telco Verizon puts arm around Nokia, Microsoft, preps enterprise 5G for Europe, APAC

Lucky old us. Plus: Azure Edge biz service software bundled in

Biting the hand that feeds IT © 1998–2020