On Oct. 3, Yahoo now part of Verizon's Oath business unit, publicly disclosed that all of its users were impacted by a data breach in August 2013. Oath estimates that information on three billion users was stolen by attackers in the breach.
The three billion figure for the data beach is a dramatic increase from the initial figures provided by Yahoo when the breach was first revealed. In December 2016, Yahoo publicly reported that the breach occurred in August 2013 impacting one billion users.
"Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft," the company stated.
Verizon completed its acquisition of Yahoo on June 13, in a deal valued at $4.5 billion. After the close, Verizon integrated Yahoo along with AOL into the new Oath business unit.
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," Chandra McMahon, Chief Information Security Officer at Verizon stated. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
After the December 2016 disclosure of the August 2013 breach, Yahoo took several actions to help mitigate risk. Those actions includes forcing users that had not updated passwords since August 2013 to do so. Additionally Yahoo invalidated unencrypted security questions, to help prevent attacks.
The new disclosure that all of Yahoo's users were impacted by the August 2013 breach, follows years of speculation about multiple breaches at the company with varying impact. In September 2016, Yahoo first officially confirmed that it was the victim of a data breach that occurred in 2014 impacting 500 million users. Yahoo in the past had stated that the 2013 and 2014 breaches were separate incidents.
Security experts contacted by eWEEK were not entirely surprised by the new disclosure that all of Yahoo's three billion users were breached.
"This is certainly not a surprise," Peter Tran, General Manager and Senior Director at RSA Security told eWEEK. " Any breach at this scale is highly sophisticated and complex as hackers and cyber-criminals tend to have well established beach heads in advance to move freely undetected for command and control of user account/credentials."
Tran added that it's only when the blind spots are uncovered as part of a breach response effort, that the full impact is discovered.
Chris Roberts, Chief Security Architect at Acalvio also isn't surprised about the new Yahoo hack disclosure. "Frankly, this isn't a surprise given how well they were violated," Roberts told eWEEK. "It is a surprise that they took so long to work it out."
While Yahoo has already taken steps to protect users, there are multiple additional best practices users can taken to help limit risk from any breach of user information. Tran suggests that Yahoo users reset passwords and follow guidelines for recommended length and complexity. He also recommends the use of two-factor authentication.
Roberts suggests that users have unique passwords for all their accounts and change those passwords regularly. Nathan Wenzler, Chief Security Strategist at AsTech Consulting echoed Roberts recommendation on passwords and noted that not reusing passwords helps to prevent a data breach at one site resulting in the attackers ability to log in everywhere else a user password works and cause even more damage to finances and personal information.
"Additionally, as we are still reeling from the effects of the recent Equifax breach, consumers should be freezing their credit records with all three credit bureaus to minimize the potential for financial losses," Wenzler told eWEEK. "While the type of data in the Yahoo breach isn't necessarily financial information, it could easily be used to help create an identity for an attacker to support their attempts to use data stolen from Equifax or other places to apply for new loans, open new credit card accounts and perform other fraudulent activities."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.