Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Yahoo says all 3B accounts impacted by 2013 data breach

Last updated

Yahoo in a statement on Tuesday said further investigation into a massive 2013 data breach suggests all 3 billion its user accounts were impacted from the incident, tripling the internet firm's initial estimates.

According to the statement, Yahoo said it obtained and independently verified with outside forensic experts new intelligence regarding the breadth of the 2013 data theft after it was acquired by Verizon. Following an investigation into the evidence, the company has concluded that all Yahoo user accounts, from email to other services like Flickr, were affected by what was already the largest data theft in history.

Yahoo first disclosed the data breach in 2016, saying at the time that more than 1 billion accounts were compromised as part of a hack involving cookie forging. Yahoo's security team was informed of the attack when law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts.

Information revealed to hackers include user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Echoing statements made in 2016, Yahoo said the breach did not include passwords in clear text, payment card data, or bank account information.

"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer at Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."

As it did in 2016, Yahoo is notifying owners of accounts believed impacted via email.

Yahoo suffered a separate breach in 2014 that revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions of some 500 million accounts. That particular hack was blamed on state-sponsored actors, though the company failed to elaborate on the issue.

The pair of hacks ultimately drove down Verizon's acquisition price of Yahoo to to $4.48 billion, a $350 million discount. In return, the companies agreed to split liabilities linked to lawsuits and government investigations into the security breaches.

Verizon later merged Yahoo with AOL and more than 50 other online brands to form digital media company Oath.