Yahoo, now part of Verizon, said that a 2013 hack that it previously believed had resulted in the theft of info for 1 billion user accounts actually affected approximately 3 billion after further investigation.
Yahoo said it’s alerting the additional affected user accounts. The internet company on Tuesday said its investigation indicates that the account information that was stolen did not include passwords in clear text, payment card data, or bank account information.
The previous disclosure by Yahoo — coming just months after Verizon agreed to buy the two-decade-old internet company — already had made it biggest security breach on record in terms of number of user accounts affected.
In December of last year, Yahoo disclosed that cybercriminals in August 2013 had broken into its systems and compromised “more than 1 billion” accounts. That came three months after it said info on at least 500 million accounts was stolen by “state-sponsored” hackers in 2014. The massive data breaches delayed Verizon’s takeover of Yahoo as the telco investigated the incidents, and ultimately led the telco cut its purchase price by $350 million, to $4.48 billion.
According to Yahoo, during its integration with Verizon following the acquisition’s close this summer, it obtained “new intelligence” that led it to now believe that all Yahoo user accounts at the time — 3 billion in all — were affected by the August 2013 theft.
Yahoo, part of Verizon’s Oath group that includes AOL, said it’s continuing to work closely with law enforcement.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” Chandra McMahon, Verizon’s chief information security Officer, said in a statement. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Yahoo previously said its investigation into the 2013 attack revealed that hackers had forged cookies — the bits of code that web browsers use to track users — which let them gain access to user accounts without a password. In 2016, Yahoo directly notified the owners of the approximately 1 billion user accounts that it had identified at the time, requiring them to change passwords and invalidating unencrypted security questions and answers so that they could not be used to access the accounts.