Yahoo, now part of the newly created Verizon subsidiary Oath, has announced that the 2013 breach it disclosed in December 2016 affected more users than previously believed.
“At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected,” the announcement says.
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”
The company reiterated that the stolen user account information did not include passwords in clear text, payment card data, or bank account information. “We are now notifying the additional user accounts” they noted.
They also noted that the additional accounts they are notifying now won’t be receiving notifications regarding the cookie forging activity revealed in March 2017. “Some of the additional user accounts we are notifying now about the August 2013 data theft may have been notified previously about the cookie forging activity if Yahoo believed that a forged cookie associated with their account was used or taken,” the company shared.
As a reminder: users’ names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers were compromised in the 2013 hack.
Most of the passwords were hashed with MD5, as Yahoo had only began upgrading password protection to bcrypt in the summer of 2013, so to be on the safe side, Yahoo forced a password reset on affected users and invalidated the unencrypted security questions and answers.
“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorized access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented,” says Bitglass CEO Rich Campagna.
“It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm,” he notes.
AttackIQ CRO Carl Wright says it’s time to try something new.
“Seriously, find protection failures before the adversary does. Consumers worldwide and shareholders deserve better,” he says.
“It is one thing to deploy security controls, it is completely another thing to know that they are working correctly. This is why we believe the best defense is a good offensive – continuously testing your security stack the same way the adversary does.”