Yahoo were only off by two billion the first time around.
Internet giant Yahoo has confirmed that a whopping three billion user accounts were affected by data theft that occurred in 2013, a data breach initially disclosed by the company in December of last year.
At the time, Yahoo disclosed that one billion users had been affected by the data breach, following which Yahoo took action requiring users to change their passwords and invalidating unencrypted security questions and answers so that they could not be used to access an account.
On Tuesday, Yahoo’s Verizon-owned parent company Oath revealed that, after an investigation, it was discovered that all three billion Yahoo accounts in existence at the time of the breach had been affected.
The investigation indicated that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information and Oath stated that it is continuing to work closely with law enforcement on the matter.
A statement released on Tuesday read as follows: “Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.”
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon.
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Additional information regarding this issue is available on the Yahoo 2013 Account Security Update FAQs page.