A data breach that was already one of the largest of all time just got a lot bigger, as Verizon announced Tuesday that its Yahoo subsidiary might have exposed 3 billion user accounts, not the 1 billion initially estimated.
Yahoo first announced in September 2016 that an estimated 500 million user accounts had been impacted by a data breach that exposed names, email addresses, telephone numbers, birthdays, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers. Yahoo said that the hack on its network occurred in late 2014.
Just a few months later, in December, Yahoo announced that further investigations into the previously announced breach revealed a second data breach, impacting 1 billion user accounts. Yahoo said the breach occurred in August 2013, with an unauthorized third party stealing data from 1 billion users, including included names, email addresses, telephone numbers, dates of birth and hashed passwords. The company said it also, in some cases, included encrypted or unencrypted security questions and answers.
Yahoo was acquired by Verizon earlier this year in a $4.48 billion deal that closed in June. The original acquisition offer was for $4.83 billion but was lowered by $350 million after news of the breach emerged. In a statement, Yahoo – now under the brand Oath – said the company received new intelligence on the breach during the integration from "outside forensic experts" that the breach was wider than initially thought. The company did not name the third party who discovered this.
Yahoo says it continues to work with law enforcement on the issue.
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," Chandra McMahon, Chief Information Security Officer, Verizon, said in a statement. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
Yahoo said it would email those users affected who had not previously been notified. It recommended those impacted consider changing passwords and security questions for accounts on other sites using the same passwords and security questions, review accounts for suspicious activity, and be wary of possible phishing attacks. It also recommended using authentication tools, including Yahoo Account Key.
Matt Johnson, CEO of Baltimore, Md.-based Phalanx Secure Solutions, said the Yahoo breach is just the latest example of a growing trend of major security incidents in recent weeks. Just last month, the security industry saw massive data breaches at Equifax, the Securities and Exchange Commission, and Deloitte, to name a few.
"Every day we turn the news on someone has been breached … it's ridiculous," Johnson said. He said he is also "not surprised" to see the Yahoo breach end up being larger than originally estimated after further investigation.
With all the recent data breaches, Johnson said more and more of his clients are starting to be concerned about if there is any way to protect themselves from a security incident. He said talks to his clients about "sticking to the plan," which focuses on building a proactive approach to security, rather than reactive one.