14 DAY TRIAL // The Yahoo hack saga continues, this time with more information provided by the company itself, who reckoned in a statement that more users were actually hacked in 2013 than it previously revealed.
Yahoo said in September 2016 that 500 million accounts got hacked in 2013 as part of what it described as a state-sponsored attack, albeit absolutely no specifics on the hacking group or the country behind the breach were provided.
Yahoo, however, released an updated statement in December to bump the figure to 1 billion, saying that it discovered evidence that twice as many accounts were hacked than it initially thought.
3 billion accounts compromised
And now the company returns with another statement, revealing that its original investigation actually pointed to a wrong number. So the hack didn’t affect 500 million or 1 billion accounts, but 3 billion records, which represented the entire userbase of Yahoo at that time. This means that all Yahoo users in 2013 were exposed following the breach.
“Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected,” Yahoo said in the latest statement.
“It is important to note that, in connection with Yahoo's December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so.”
The only good thing here is that the breach didn’t expose information like bank accounts, credit card data, or passwords, with hackers managing to compromise accounts using stolen Yahoo source code.
If there still are any Yahoo users out there, it goes without saying that they must change their passwords as soon as possible, even though it’s pretty clear that this is an advice coming way too late given the hack happened in 2013. Judging from its statement, Yahoo believes that it reacted well by “taking action to protect accounts” and confirming the breach 3 years after it happened.