Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! 'just!' 1bn!

Every user pwned, how's that $4bn looking now, Verizon?


With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide.

In a filing on Tuesday to America's financial watchdogs, Yahoo!, now owned by Verizon under the Oath brand, admitted the total number of user accounts illegally accessed by hackers in 2013 wasn't the 500 million earlier reported, nor the one billion it later confessed, but all of them – all three billion accounts.

The miserable web giant said that following its 2016 takeover by Verizon – which has its own security consultancy – it "recently obtained new intelligence" that indicated that the network intrusion was much larger than had previously been thought. In fact, it was as large as it could be.

That means account records – including names, addresses, phone numbers, and weakly hashed passwords – for three billion accounts worldwide were exposed to hackers. In its statement today to the SEC, Yahoo! admitted:

Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” added Chandra McMahon, chief information security officer for Verizon.

“Our investment in Yahoo! is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”

Despite their words, Verizon management are most likely seething about the news. When the initial hack was disclosed, the telco managed to knock $350m off the $4.8bn asking price for the company. Had it known about the size of the actual hack it could have got a considerably bigger discount.

As for the hackers themselves, the US authorities have indicted four men over the infiltration. American prosecutors claim the hack was ordered by the Russian intelligence services and carried out by hackers-for-hire. One of those alleged miscreants is now in a US jail awaiting trial.

You'd also imaging Yahoo!'s erstwhile CEO isn't too bothered. After negotiating the deal Marissa Meyer laughed all the way to the bank with a $55m golden parachute, and is now reportedly looking around for another challenge before retiring. Equifax needs a new CEO – just saying. ®

PS: Don't delete that Yahoo! account: park it...

Similar topics

Broader topics


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Yahoo Japan strives for universal passwordless authentication
    30! million! users! already! moved! to! TXT! and/or! FIDO! Attacks! and! support! requests! both! down!

    Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages.

    A case study penned by staff from Yahoo Japan and Google's developer team, explains that the company started work on passwordless initiatives in 2015 but now plans to go all-in because half of its users employ the same password on six or more sites.

    The web giant also sees phishing as a significant threat, and has found that a third of customer inquiries relate to lost credentials.

    Continue reading
  • US appeals court ruling could 'eliminate internet privacy'
    Tech terms of service dissolve Fourth Amendment rights, EFF warns

    The US Ninth Circuit Court of Appeals on Wednesday affirmed the 2019 conviction and sentencing of Carsten Igor Rosenow for sexually exploiting children in the Philippines – and, in the process, the court may have blown a huge hole in internet privacy law.

    The court appears to have given US government agents its blessing to copy anyone's internet account data without reasonable suspicion of wrongdoing – despite the Fourth Amendment's protection against unreasonable searches and seizures. UC Berkeley School of Law professor Orin Kerr noted the decision with dismay.

    "Holy crap: Although it was barely mentioned in the briefing, the CA9 just held in a single sentence, in a precedential opinion, that internet content preservation isn't a seizure," he wrote in a Twitter post. "And TOS [Terms of Service] eliminate all internet privacy."

    Continue reading

Biting the hand that feeds IT © 1998–2022