Verizon Communications has confirmed that the 2013 cyberattack that hit Yahoo (which Verizon acquired last June) was far more damaging than initially reported – all three billion of Yahoo’s user accounts were compromised by the attack.
Last year, Yahoo said that the attack had affected only one billion accounts. Three months before that announcement, the company revealed that it had suffered a separate attack in 2014, which affected 500 million accounts.
Celebrate excellence in insurance. Join us at the Insurance Business Awards in Chicago on October 26.
In a statement Tuesday, Verizon said that – with the help of outside forensic experts – it has determined that all of Yahoo’s user accounts were affected by the data breach. The company added that it would continue to work closely with the authorities.
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources,” Verizon chief information security officer Chandra B. McMahon said in the statement.
The perpetrators of the cyberattack managed to obtain the names, birth dates, phone numbers, and passwords of Yahoo users. They also made off with the security questions and backup email addresses used to reset lost passwords.
Investigators did not come across the full extent of the 2013 incident before Verizon closed the deal to purchase Yahoo, baffling cybersecurity analysts.
“Frankly, I don’t know how Yahoo got away with this,” former Defense Department cybersecurity expert, National Security Agency senior analyst, and CEO of Synack Jay Kaplan told The New York Times.
Kaplan explained that after Yahoo had discovered that one billion user accounts were affected, it should have considered the very real possibility that all of its user accounts had been compromised.
“My guess is that Yahoo was completely ‘owned’ across the board,” he said.
According to cybersecurity company InfoArmor, a hacking collective based in Eastern Europe offered the stolen Yahoo information for sale last August. Three buyers have since taken up the offer – two spammers and one entity that was looking to use the stolen information for espionage.
While Yahoo claims that the 2013 and 2014 breaches are not related, investigators believe that the attackers behind the 2013 breach were Russian and possibly had connections to the Russian government.