While the 2013 Yahoo data breach incident was initially reported to have only impacted 1 billion users at the time, Yahoo has announced that the damage was actually far greater. While the 2013 breach had been announced as the worst data breach yet, it actually had an impact on all 3 billion Yahoo users. Besides those with Yahoo email addresses, anyone with accounts for Yahoo-owned services such as Flickr, Tumblr, or Yahoo fantasy sports leagues are also included in the 3 billion records impacted.
Yahoo is now part of Oath as part of the recent Verizon acquisition. It revealed the new information when the two companies integrated. Oath released a statement on Tuesday about the breach and its corrective measures:
“While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.”
Experts are saying that Yahoo users should secure their Yahoo account and migrate any personal or sensitive data to a more protected source even if you do not intend to continue using Yahoo or its other services. You should also do the following immediately:
Change change your passwords, security questions, and answers for any accounts with the same or similar credentials to something unique and complex, especially your Yahoo account and accounts containing sensitive data;
Avoid and be cautious of any unexpected emails (or other communication channel) in which you’re asked for personal information or suspicious links to places asking for personal information;
Use a password manager to help you manage new and complex passwords for your accounts. Dashlane Password Manager allows for unlimited password storage and access, you can get it here now for free.
Here follows Yahoo's statement:
"Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.
"Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Additional information regarding this issue is available on the Yahoo 2013 Account Security Update FAQs page.