Yahoo has admitted that all 3 billion of its accounts were hacked as part of a cyber attack in 2013 – tripling its earlier estimate.
The company, now part of Verizon subsidiary Oath, had previously said that personal information relating to one billion accounts was accessed by a “third-party” in the largest data breach in history.
However, outside forensic experts were brought in following Yahoo being acquired by Verizon, and the company has now tripled the number of accounts it believes were compromised.
A statement said the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information, and that all affected customers have been contacted.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said the company’s chief information security officer Chandra McMahon.
However, the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.
The disclosure expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, lawyers warned.
Yahoo was already facing at least 41 consumer class-action lawsuits in US federal and state courts, according to company securities filing in May.
“It’s really mind-numbing when you think about it,” said John Yanchunis, a lawyer representing some of the affected Yahoo users.
UK Information Commissioner Elizabeth Denham said her office was concerned by Yahoo’s announcement and was investigating.
“This is understood to include all UK Yahoo! account holders at the time. This gives us further cause for concern,” she said.
“It is very disappointing to see the company is apparently still uncovering additional problems despite the length of time since the breach occurred.
“We are talking to Yahoo! and have advised them to contact all customers affected as soon as possible.
“We continue to investigate alongside the relevant international authorities to ensure the data protection interests of UK customers are considered.”
Nick Shaw, vice president and general manager of Norton EMEA, offered the following tips on how to spot identity theft:
- Closely monitor your bank accounts, credit reports and any other financial accounts you may have. If the financial companies you do business with offer activity alerts, sign up for them. And if you receive an alert or your financial institution reports unusual account activity, respond as soon as possible.
- Suddenly receiving credit cards in the mail that you did not apply for.
- Receiving calls from debt collectors for goods and services you did not sign up for.
- Being unable to log into a website using your normal password.