In a new notice sent out to all users, Yahoo warned consumers about new investigations revealing a broader extent to its massive 2013 hack. The security breach, previously believed to have affected 1 billion accounts, actually impacted all 3 billion people using Yahoo’s email services.
The announcement was posted to the official Oath website, which is the joint venture that now encompasses what was Yahoo’s old business. Verizon Communications spun off the internet giant into this new identity right after acquiring it this summer.
The Security and Exchange Commission also posted the notice on its portal, letting consumers know of the vulnerabilities they might have been subjected for a period longer than 4 years. Personal and sensitive information might have been compromised as a result of the hack, but Yahoo said it was not the case.
2 billion accounts might have been unsafe for over 4 years
Considering the fact that Yahoo’s massive breach was determined to have happened in August 2013, these new investigations effectively suggest that the company sat on 2 billion compromised accounts for more than 4 years without notifying users.
The next question that comes to mind after realizing that fact is whether Yahoo knew about the incident or not and to what extent. Reports following the disclosure of the breach back in December last year seem to hint that the company did know about it beforehand.
At the time, it had just revealed a separate hack that affected roughly half a billion people. Coming from that wave of bad PR in the middle of acquisition negotiations, some people believe it is possible that Yahoo gave out fake numbers so as to not affect the deal.
Yahoo's data breach was far more extensive than previously disclosed, affecting all of its 3 billion user accountshttps://t.co/gnd2xn1OFR
— Wall Street Journal (@WSJ) October 3, 2017
What’s next for Yahoo and its hacked users?
As a Verizon subsidiary, one would believe that the telecom giant would open an investigation to confirm the scope of the incident and determine how that translates into action toward Yahoo, now part of the Oath consortium.
It is unlikely that there is any sort of retroactive action, although it is worth pointing out that the largest cyber security breach in history cost Yahoo $350 million out of its previously accorded buyout price. Now that the hack is three times as large, one cannot help but wonder how that could have affected things.
As for users, Yahoo is taking the same cookie cutter approach and sending out the same security recommendations it gave to the first pool of hacked accounts back in December. There is not much else they can do, although Verizon promised they remain committed to strengthening the security of their new platform.
“The investigation indicates that the information that was stolen did not include passwords in clear text, payment card data, or bank account information,” according to Yahoo, but the initial breach notice didn’t rule out passwords, usernames, and personal information including financial data.