All THREE BILLION Yahoo users hit by 2013 data breach

All three billion of Yahoo’s users were affected by the 2013 data theft that the company originally said had only affected 1 billion users, Yahoo has admitted. 

The additional two billion data theft victims came to light as Yahoo was being integrated with Verizon, which bought the company in June for $4.5 billion.

‘During integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,’ the company said in a statement posted on its website Tuesday. 

 

The additional two billion data theft victims came to light as Yahoo was being integrated with Verizon, which bought the company in June for $4.5 billion.

THE 2013 ATTACK 

The August 2013 breach affected more than one billion accounts, while the 2014 breach affected more than 500 million. 

A third breach occurred in 2015 and 2016.

The hackers are believed to have grabbed names, email addresses, phone numbers, birthdays, encrypted passwords and the ‘unencrypted’ security questions and answers of its users.  

An investigation found that the stolen user account information did not include passwords in clear text, payment card data, or bank account information. 

The investigation found that the stolen user account information did not include passwords in clear text, payment card data, or bank account information.

‘While this is not a new security issue, Yahoo is sending email notifications to the additional affected user account, the firm said.

‘The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information.

The company said it ‘is continuing to work closely with law enforcement’.

Yahoo said it would send email notifications to the additional affected user accounts.

‘Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,’ said Chandra McMahon, Chief Information Security Officer, Verizon. 

‘Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.’ 

‘Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,’ Yahoo said in a statement at the time of the attacks.

‘Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.’

The company added it had found no evidence that the ‘state-sponsored actor is currently in Yahoo’s network’. 

Yahoo is now part of a Verizon unit called Oath. Once the deal was closed in June, then-CEO Marissa Mayer stepped down.

Mayer was not paid her 2016 bonus, worth as much as $2million, nor her 2017 equity grants as a result of the hacking incidents.  

In court papers, Yahoo had argued that the breaches were ‘a triumph of criminal persistence’ by a ‘veritable ‘who’s who’ of cybercriminals’ and that no security system is hack-proof.

On March 15, the US Department of Justice charged two officers of the Russian Federal Security Service and two hackers in connection with the second breach in late 2014.

Earlier this year a US judge said Yahoo must face nationwide litigation brought on behalf of more than one billion users who said their personal information was compromised in three massive data breaches.

An investigation found that the stolen user account information did not include passwords in clear text, payment card data, or bank account information

An investigation found that the stolen user account information did not include passwords in clear text, payment card data, or bank account information

The decision from US District Judge Lucy Koh in San Jose, California, was a setback for efforts by Verizon Communications Inc, which acquired Yahoo’s Internet business in June, to limit potential liability.

The breaches occurred between 2013 and 2016, but Yahoo was slow to disclose them, waiting more than three years to reveal the first. 

Revelations about the scope of the cyber attacks prompted Verizon to lower its purchase price for the company from $4.76billion to $4.48billion.

In a 93-page decision, Koh rejected Yahoo’s contention that breach victims lacked standing to sue, and said they could pursue some breach of contract and unfair competition claims.

‘All plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their personal identification information,’ the judge wrote.

Koh said some plaintiffs also alleged they had spent money to thwart future identity theft or that fraudsters had misused their data.

Others, meanwhile, could have changed passwords or canceled their accounts to stem losses had Yahoo not delayed disclosing the breaches, the judge added.

The August 2013 breach affected more than one billion accounts, while the 2014 breach affected more than 500 million. A third breach occurred in 2015 and 2016.

The hackers are believed to have grabbed names, email addresses, phone numbers, birthdays, encrypted passwords and the ‘unencrypted’ security questions and answers of its users. 

While many claims were dismissed, Koh said the plaintiffs could amend their complaint to address her concerns.

 

 

 

Read more at DailyMail.co.uk