A massive breach of Yahoo’s systems in 2013 impacted every account in existence at the time, the company said last night in a new filing with the Securities and Exchange Commission.
Yahoo disclosed the breach last December when it revealed that it believed 1 billion accounts were compromised. Last night, the company revised that figure to 3 billion.
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” the company, which was acquired by Verizon this year and is now part of Oath, said in a statement.
Last December, Yahoo notified all of its account holders of the breach, required a password reset and invalidated existing unencrypted security questions and answers. The 2013 breach was one of two disclosed by Yahoo last year; the second occurred in 2014 when hackers walked off with a half-billion account records. The 2014 breach was disclosed in September 2016.
Yahoo said at the time that the events were separate incidents, but that it was possible the same actor was responsible for both attacks.
In Tuesday’s statement, Yahoo reaffirmed that the stolen data did not include cleartext passwords, nor did it include payment card or bank account information. The attackers made off with names, email addresses, telephone numbers, dates of birth, hashed passwords and some security question and answer data.
Yahoo has maintained that the attackers behind these breaches are state-sponsored, despite some skepticism from outside analysts.
In a November 2016 SEC filing, Yahoo said that its internal security team and outside analysts concluded that during the 2014 breach, attackers were able to steal a proprietary process Yahoo uses to create authentication cookies. The attackers were able to use this to forge cookies and access internal accounts without the need for authentication.
“No additional notifications regarding the cookie forging activity are being sent in connection with this update,” Yahoo said. “Some of the additional user accounts we are notifying now about the August 2013 data theft may have been notified previously about the cookie forging activity if Yahoo believed that a forged cookie associated with their account was used or taken.”
The September breach disclosure kicked off a disastrous chain of events which at the time put Verizon’s multibillion-dollar acquisition of Yahoo’s core business in jeopardy. Immediately, for example, experts challenged Yahoo’s claims of state-sponsored involvement in the 2014 breach. Experts instead believe that a criminal operation was behind the attack and sold the data to an Eastern European government.
In its November SEC filing, Yahoo also admitted that it knew in 2014 attackers were on its network and at the time had stolen data from a half-billion accounts. Congress then demanded answers from CEO Marissa Mayer, calling the two years between the attack and disclosure “unacceptable.”