Yahoo’s huge security breach was already considered the largest hack ever when it was revealed at the end of last year, but it appears to have been even worse than the company originally knew.
In a new filing with the SEC, Yahoo, which is now part of Oath, disclosed that all of its approximately 3 billion accounts were impacted by the breach. If you’re still using an old Yahoo password, now is a really good time to change it.
Yahoo didn’t discover the security hack until 2016, even though it occurred back in 2013. The company originally estimated that 1 billion accounts were hacked. Experts at the company believe the attack was carried out by nation-state hackers.
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts.”
The company says that the user account information that was stolen didn’t contain passwords, payment card data or bank account info. It’s still investigating the matter with law enforcement though.
Hackers were able to access Yahoo’s internal code during the attack. This allowed them to forge cookies to access specific target’s email accounts. They also dumped fake links in Yahoo’s search results.
Verizon, which purchased Yahoo last year and then ousted former CEO Marissa Mayer, says it is still working to improve security.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, Chief Information Security Officer, Verizon.