Naked Security Naked Security

3 billion Yahoo accounts affected by 2013 breach

The 2013 breach is three times worse than we thought

On 14 December 2016 Yahoo revealed that a jaw-dropping billion accounts had been affected by a data breach in August 2013. The disclosure arrived hot on the heels of a 22 September admission that 500 million Yahoo accounts had been compromised in a different attack in late 2014.

The announcements changed what we mean by “big”, when we talk about big data leaks. They seemed preposterous and unwieldy, and at the time we marvelled at the scale and wondered – how on earth did it take them three years to notice?

What we didn’t know, didn’t expect, was that Yahoo had badly low-balled the number of affected accounts.

It would be left to Verizon, Yahoo’s new owners, to finally unearth the truth of it – that every last one of Yahoo’s accounts was compromised in the August 2013 incident:

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.

The announcement doesn’t say how many accounts that amounts to but both Reuters and the Associated Press put the figure at 3 billion.

Yahoo reports that the types of information lost in the breach are unchanged:

…stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

It also advises that you change your password and security questions, and, even though payment card and bank account data wasn’t compromised in the breach, to “remain vigilant by reviewing your account statements and monitoring your credit reports”. If you used your Yahoo password on any other sites, change it on those sites too and try not to dwell too long on the fact that criminals have had four years in which to crack Yahoo’s subpar password hashing.

If you did all that in 2016, after the first announcement, then you don’t need to do it again.

Yahoo says it’s “notifying potentially affected users by email”. Don’t wait for an email from Yahoo though, or a scammer pretending to be Yahoo, assume you’re affected, don’t click on anything in any purpled-branded emails, just go straight to and work your way to the right place.

If, when you get there, you change your password and security questions, I admire your loyalty. If I could close my account again I would, but it’s been closed since December 2016.

Leave a Reply

Your email address will not be published. Required fields are marked *