Verizon Says All 3 Billion Yahoo Accounts Were Compromised in 2013 Attack

Yahoo's massive data breach that occurred in August of 2013 affected all three billion Yahoo accounts that existed at the time, Yahoo parent company Verizon disclosed today in a statement on Oath.com, the website for the brand that now encompasses both AOL and Yahoo.

Previously, Yahoo said the hack affected 1 billion accounts, or a third of all accounts at the time. Verizon now says new intelligence suggests the attack was much larger, compromising all Yahoo accounts in 2013.

Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.
Information stolen from affected accounts included names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers. Clear text passwords, bank account information, and credit/debit card information are not believed to have been accessed in the attack.

In a statement, Verizon says the Yahoo team is continuing to take significant steps to enhance security.
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer, Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
Yahoo initially uncovered the attack after law enforcement officials provided the company with Yahoo user data from an unknown source. Yahoo notified users it believed were affected in 2016 at the time the attack was disclosed, but the company will now send email notifications to additional user accounts affected by the hack.

Along with the attack in 2013, Yahoo saw another data breach in 2014 that compromised 500 million accounts, and a third major breach targeting accounts between 2015 and 2016.

The security breaches affected Verizon's $4.48 billion June acquisition of Yahoo, leading Yahoo to drop its asking price by $350 million.

Yahoo is already under SEC investigation for not disclosing the data breach sooner and affected victims have been given the right to sue the company.

Tag: Yahoo

Discuss this article in our forums

Judge Rules That Yahoo Data Breach Victims Have Right to Sue Company

Several months after Yahoo warned users of a third data breach that occurred between 2015 and 2016, U.S. District Judge Lucy Koh in San Jose, California has said that breach victims now have the right to sue the company, allowing them to pursue breach of contract and unfair competition claims (via Reuters). Previously, Yahoo argued that these individuals lacked grounds to sue the company, but Koh has now rejected that claim.


This leaves "well over 1 billion users" open to sue the company, all of whom were affected by one of three total data breaches that began to gain notoriety in September 2016, when the company disclosed that "at least" 500 million Yahoo accounts were compromised in a late 2014 cyber attack. A second attack was disclosed in December 2016, regarding a user information leak that happened in August 2013, and then the third and presumably last warning about a previous attack came in February 2017.

This outlined a period of data breaches that began in 2013 and lasted until 2016, with Yahoo waiting more than three years to reveal information about any of the attacks. Breached info related to names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers.

Because each affected user now faces the risk of identity theft, Koh ruled in a 93-page decision that plaintiffs can now amend previously dismissed complaints to gain new legal ground against Yahoo.
“All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information,” the judge wrote. Koh said some plaintiffs also alleged they had spent money to thwart future identity theft or that fraudsters had misused their data. Others, meanwhile, could have changed passwords or canceled their accounts to stem losses had Yahoo not delayed disclosing the breaches, the judge said.

“We believe it to be a significant victory for consumers, and will address the deficiencies the court pointed out,” John Yanchunis, a lawyer for the plaintiffs who chairs an executive committee overseeing the case, said in an interview. “It’s the biggest data breach in the history of the world.”
Yahoo's disclosure of the security breaches came in the midst of its acquisition by Verizon, and ended up affecting the carrier's offer. After an initial offer of $4.83 billion, Verizon ended up purchasing Yahoo's core business assets for $4.48 billion in order to limit potential liability. The deal closed this past summer and at the same time, Verizon announced plans to lay off about 2,100 Yahoo employees.

Tag: Yahoo

Discuss this article in our forums

Yahoo Warns Users of Third Data Breach as Verizon Closes in on Revised Deal

Yahoo has issued a new warning to account holders about malicious hacks linked to a third data breach that the company disclosed late last year.

The warning relates to more recent malicious activity targeting accounts between 2015 and 2016, most likely perpetrated by a "state actor," according to Yahoo. Specifically, the hacks were achieved by using form of "forged" cookies – text-based keys that give web users access to username and password information without having to re-enter it – created by software stolen from within Yahoo's internal systems.

A warning message was sent to affected Yahoo users on Wednesday, warning them of the unauthorized access to their account, but Yahoo did not reveal how many people were notified.


"Outside forensic experts have been investigating the creation of forged cookies that could have enabled an intruder to access our users' accounts without a password," a Yahoo spokesperson told Associated Press. "The investigation has identified user accounts for which we believe forged cookies were taken or used. Yahoo is in the process of notifying all potentially affected account holders."
Yahoo's announcement came just hours after reports that Verizon was close to a renegotiated deal to buy Yahoo's core assets at a lower price. Last year, Verizon agreed to buy Yahoo’s core business for $4.83 billion, but on Wednesday Bloomberg News reported that the renegotiated deal would knock about $250 million off that price because of the security breaches that were revealed after the initial deal was agreed. 


Back in September, Yahoo revealed that hackers had stolen the personal data of "at least" 500 million users, but by December, the internet company admitted that over one billion Yahoo user accounts had been compromised in a separate hack dating back to August 2013. Information stolen included names, email addresses, phone numbers, birth dates, hashed passwords, security questions and answers.

The internet company is currently under investigation from the Securities and Exchange Commission over its failure to disclose its massive data breaches sooner.

Tag: Yahoo

Discuss this article in our forums

Yahoo Under SEC Investigation for Not Disclosing Massive Data Breach Sooner

Yahoo is under investigation from the Securities and Exchange Commission over its failure to disclose its massive data breaches sooner, according to The Wall Street Journal.

In September 2016, the internet company revealed that an unidentified hacker had stolen the personal data of "at least" 500 million users. Then last month, the internet company admitted that over one billion Yahoo user accounts had been compromised in a hack dating back to August 2013. Information stolen included names, email addresses, phone numbers, birth dates, hashed passwords, security questions and answers.

yahoo
According to today's report, the SEC is investigating why Yahoo waited years before disclosing the massive data breach, despite the fact that some staff had known about the incident since at least 2014. The SEC has requested documents from Yahoo relating to the hacks in order to decide whether the internet giant could have reported the breach to investors sooner.

Yahoo is currently negotiating a takeover bid by Verizon, who is reportedly seeking a $1 billion discount off an original $4.8 billion buyout agreement because of the hacking revelations. It's unclear what impact the SEC investigation will have on the deal, but Yahoo's share price had already fallen following the news.

Tag: Yahoo

Discuss this article in our forums

Yahoo Discloses Second Major Hack, More Than 1 Billion Accounts Compromised

Yahoo today announced that it believes more than one billion Yahoo user accounts were compromised in a hack by an unauthorized third party in August of 2013.

Information stolen from affected accounts includes names, email addresses, telephone numbers, birth dates, hashed passwords, and both encrypted and unencrypted security questions and answers. Clear text passwords, bank account information, and credit/debit card information were not believed to be accessed in the attack.

yahoo
According to Yahoo, the hack was discovered after law enforcement officials provided the company with what appeared to be Yahoo user data from an unknown source. Yahoo says it has not been able to identify the specific intrusion, but it is "likely" distinct from a late 2014 hack that compromised more than 500 million Yahoo user accounts.

Earlier this year, Yahoo confirmed that "at least" 500 million user accounts were accessed in September of 2014, and this marks a second attack during the same general timeframe.

Yahoo is notifying users who may have been affected by the attack, and says it has "taken steps" to secure their accounts by implementing mandatory password changes. Unencrypted security questions and answers have also been invalidated.

Along with the 2013 hack compromising 1 billion user accounts, Yahoo has also announced that an ongoing outside investigation suggests an unauthorized third party accessed proprietary code to forge cookies, a technique that may have been used by the hackers responsible for the September 2014 attack. Those account holders are also being notified.
The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.
Yahoo suggests users "review all of their online accounts" to check for suspicious activity and change any passwords that might have been used for a Yahoo account and another online account. Yahoo also recommends implementing two-factor authentication and avoiding links from suspicious emails.

Tag: Yahoo

Discuss this article in our forums

The 16 biggest tech stories of 2016

Https%3a%2f%2fblueprint-api-production.s3.amazonaws.com%2fuploads%2fcard%2fimage%2f305643%2funtitled-261

Feed-twFeed-fb

Technology doesn’t just change the world — it runs it. 

In 2016, the algorithms, networks and slabs of glass and metal that make up today’s digital tools had a direct impact on our lives in some very unexpected ways. 

From Facebook’s fake news problem to the Galaxy Note7 literally exploding, that impact wasn’t always for the good, but there were also signs of hope thanks to the promise of virtual reality and driverless cars.

Here are the biggest tech stories of 2016:

1. The headphone jack

Image: Lili Sams/Mashable

Apple’s annual iPhone launch always hits the mobile world like a shiny glass meteor, but the new iPhone 7 had an aftershock that will be felt for years: the removal of the headphone jack.  Read more…

More about Uber, Twitter, Facebook, Theranos, and Yahoo