Yahoo Breach Compromised 3 Billion People, Not 1 Billion

By Nathaniel Mott
published

It seems like underestimating the scope of a data breach is a trend. Shortly after Equifax revealed that its own hack compromised the data of 145.5 million people, not 143 million, Yahoo announced that a 2013 breach originally believed to have affected 1 billion people actually impacted 3 billion.

Yahoo disclosed the massive hack in December 2016. In the time since, the company has been acquired by Verizon and made part of the Oath brand, which includes a variety of media properties. The breach's actual effects were discovered by Oath, which said it "recently obtained new intelligence" and spoke with outside experts who have led it to believe "that all Yahoo user accounts were affected by the August 2013 theft."

So if you had a Yahoo account in 2013, well, your personal information was stolen. The good news is that Yahoo / Oath / Verizon said "the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information." The bad news is that your name, email address, date of birth, and potentially unencrypted security questions, as well as hashed passwords, were likely compromised.

If you weren't told your account was compromised back in December 2016, you'll soon receive an email informing you of the hack. You'll probably also have to reset your password and change unencrypted security questions; that's what Yahoo required of the people it notified last year. (And by "the breach" we mean the one from December thought to have affected 1 billion people, not the one from September that targeted 500 million.)

Here's what Verizon said about how it plans to handle security in the future:

"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer, Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."

The question is how the number of people believed to have been affected by this breach rose from 1 billion to 3 billion. You can't just dig through the couch cushions and find 2 billion people you forgot about. It seems that the attack may have been more sophisticated than originally thought, or Yahoo wasn't as thorough as it led its users to believe, or the company downplayed the breach's impact so it could sell to Verizon instead of remaining independent.

Yahoo updated an FAQ about the 2013 breach with more information about its latest findings; you can learn more about the hack's scope there.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

Topics
Security
12 Comments Comment from the forums
  • Lkaos
    What's 2.5 million in 145 million? 0.5% miss, stop making a big deal out of Equifax's number... Now, Yahoo's 3 billion over 1 billion is not only a 100% miss...That is the one you should be whorried about!
    Reply
  • USAFRet
    20238358 said:
    What's 2.5 million in 145 million? 0.5% miss, stop making a big deal out of Equifax's number... Now, Yahoo's 3 billion over 1 billion is not only a 100% miss...That is the one you should be whorried about!

    One of the main differences is...I have the choice not to use Yahoo's services. And haven't for many years.
    I don't have that choice with Equifax.
    Reply
  • spdragoo
    20238358 said:
    What's 2.5 million in 145 million? 0.5% miss, stop making a big deal out of Equifax's number... Now, Yahoo's 3 billion over 1 billion is not only a 100% miss...That is the one you should be whorried about!

    Technically it's 1.724%. But while it may seem statistically insignificant, it's very significant to those extra people.

    And there's the question of scale on this. Breaching Yahoo means they may have had access to your email account, but not every Yahoo account was necessarily tied into any kind of financial account (not to mention that, once you reset your password/changed your challenge questions & answers, you were no longer affected by the breach).

    In contrast, the Equifax breach gave them instant access to your personal information: name, SSN, address, (in some cases) bank account & loan account numbers, etc. -- all of the information needed for them to access your bank records & steal your identity...or worse, set up new credit card & other bank accounts technically in your name. And while the bank account numbers & bank access might be able to be changed, your SSN can't be changed. So for those affected by Equifax, that's a permanent piece of their personal information that is out there for a hacker to find.
    Reply
  • Lkaos
    You seriously believe that in roughly 3 billion users, a bigger number of those 145 million dont use their email accounts to send/receive/store any sort of financial records? Reality check needed...
    Reply
  • gaius_iulius
    20238807 said:
    You seriously believe that in roughly 3 billion users, a bigger number of those 145 million dont use their email accounts to send/receive/store any sort of financial records? Reality check needed...

    It still boils down to having a choice or not ... like USAFRet pointed out above.

    If somebody is dumb enough to ignore security advice easily accessible by simply browsing the Net for a few minutes, and actually uses something as insecure as Yahoo/Gmail/Live (or any of the Cloud Servers everybody thinks are so convenient) to store and/or transmit confidential or financial information, it's his own fault and deserves to be punished.

    Having your sensitive information compromised by the ignorance or negligence of a consumer credit reporting agency who collects and stores your financial data without your consent is a very different thing.
    The responsible individual(s) at Equifax should be indicted and sentenced to lenghty terms in jail.
    Reply
  • Lkaos
    The point is missing 2.5 million in a 145 million estimate ia not a big deal...
    An estimate is just that, an estimate...it's not an exact number...If they had said the number was 150 million and the affected really were 143 million they wouldnt be posting this news again...
    Reply
  • USAFRet
    20239387 said:
    The point is missing 2.5 million in a 145 million estimate ia not a big deal...
    An estimate is just that, an estimate...it's not an exact number...If they had said the number was 150 million and the affected really were 143 million they wouldnt be posting this news again...

    The point is that both of those breaches are bad.
    Reply
  • vern72
    I doubt they didn't know that they breach was that big. They just wanted a higher selling price when they sold the company.
    Reply
  • spikey in tn
    We have already had to change our passwords because of those monkeys. Now, the same * is starting again. When will they ever learn?
    Reply
  • thundervore
    Wow, so Yahoo revealed FOUR year later that the actual number is 3 times greater? Think of all those peoples information that hackers were accessing for 4 long years without the owner knowing.

    Thanks Yahoo. Just when I thought when they turned down the deal to buy google was bad, then comes this lol.
    Reply