In September 2016 Yahoo disclosed a breach of 500 million accounts. Three months later it said a further 1 billion accounts had also been breached in a separate hack.
Days ago the company, now owned by Verizon, said a mammoth three billion account details were stolen in its massive 2013 data breach.
In a statement the company said: "Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected."
The eye-watering numbers to one side you may be confused by Yahoo’s seeming predilection for giving out customer information to all those who come hacking. All of which makes it hard to keep track of the breaches.
Don’t worry you’re not alone. Hopefully the following will clarify:
- September 2016 – Yahoo said 500 million accounts were hacked in late 2014
- December 2016 –Yahoo disclosed that 1 billion accounts were hacked. It said this was a separate hack and happened in August 2013
- Today – the 3 billion account hack is being attributed to the August 2013 attack
The company said, rather troublingly, that it didn’t know how the information was hacked. It was alerted to the hack by law enforcement that had discovered a bundle of Yahoo data for sale on the dark web.
The stolen information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and some encrypted or unencrypted security questions and answers.
Yahoo said this hack, 500 million accounts, was the result of a state sponsored hacking group. Whenever you read this phrase, which is fairly common, you can take it as code for Russian or Chinese hackers but clearly diplomatic niceties requires a bit of fudging when it comes to pointing fingers.
However, at the time of disclosure there were a few sceptical voices claiming that it was convenient that it was an alleged unidentified state sponsored hacking group, which in sense could absolve Yahoo of any responsibility. The fact is that Yahoo actually had very poor security practises in place.
Yahoo said the stolen information did not include payment card data or bank account information. This information was kept in a separate database.
Why so long?
It’s not unreasonable to ask why the hell it took so long to reveal that all this email information had been hacked.
- As Yahoo was gearing up for its sale to Verizon it admitted that that some of its employees were aware of the theft of 500 million users’ data shortly after it happened in 2014. The hack was publicly acknowledged two years later – in 2016
- There are no mandatory data breach notification standards in the US requiring companies to notify consumers when their data has been hacked
- Given its record of trying to sit on the biggest hacks in cyber history it raises questions about how long Yahoo knew that all 3 billion account details had been hacked
- The most likely reason why Yahoo held back from disclosing the hacks is that it wanted to preserve its reputation and avoid commercial damage. Its sale to Verizon, however, is a clear indication that this failed spectacularly.
What can you do?
If you’ve had enough of Yahoo and a seemingly never ending procession of mega data breaches and you want to delete your account here’s how you can do it:
- Go to edit.yahoo.com/config/delete_user and log in to your email as normal
- Confirm your password
- Select "Terminate this account"
If through gritted teeth you want to hold onto your Yahoo account you need to change your password:
- Combine upper and lower case passwords along with numbers and symbols
- Use two-factor authentication, which will send a text with a code – Yahoo offers this service