I've Been Mugged Blog

Yahoo, now within Verizon's Oath business unit, announced on Tuesday an update in the the number of accounts hacked during its massive data breach in 2013. The announcement stated:

"... [Yahoo] is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected... Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft... Yahoo is sending email notifications to the additional affected user accounts..."

That's 3 billion accounts hacked! It almost boggles the mind. Consumers with questions should also visit the Yahoo 2013 Account Security Page which has been updated with information released this week. Key information about the breach and consumers' data stolen:

"On December 14, 2016, Yahoo announced that, based on its analysis of data files provided by law enforcement, the company believed that an unauthorized party stole data associated with certain user accounts in August 2013... the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or un-encrypted security questions and answers. The investigation indicates that the information that was stolen did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected... No additional notifications regarding the cookie forging activity are being sent in connection with this update..."

Obviously, affected users should change their passwords, security questions, and security answers -- if they haven't already. Some consumers are confused about whether e-mail breach announcements they have received are authentic and truly from Yahoo. The tech company advised:

"... email from Yahoo about this issue will display the Yahoo icon when viewed through the Yahoo website or Yahoo Mail app. Importantly, the email does not ask you to click on any links or contain attachments and does not request your personal information. If an email you received about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails."

Uncertain users should also check the official Yahoo breach notices by country. In June of this year, Verizon completed its acquisition of Yahoo! Inc. and announced then:

"Verizon has combined these assets with its existing AOL business to create a new subsidiary, Oath, a diverse house of more than 50 media and technology brands that engages more than a billion people around the world. The Oath portfolio includes HuffPost, Yahoo Sports, AOL.com, MAKERS, Tumblr, BUILD Studios, Yahoo Finance, Yahoo Mail and more, with a mission to build brands people love."

Reportedly, the Oath portfolio will include products, services, and apps covering content partnerships, virtual reality (VR), artificial intelligence (AI), and the Internet of Things (IoT).

In March of this year, the U.S. Department of Justice announced the indictment by a grand jury of four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses related to the massive hack of millions of Yahoo webmail accounts.

The announcement this week by Yahoo is a reminder of the importance of post-breach investigations and how long these investigations can take to uncover complete details about the hack. It is unwise to assume that everything is known at the time of the initial breach notification. It is also unwise to assume that companies can immediately improve their data security and systems after a massive breach.