New Yahoo Update Says Data Breach Compromised All 3 Billion Accounts
Last year, Yahoo announced that a database containing the login credentials for around one billion users had been found online.
The information had been stolen back in 2013 but was only discovered in 2016. The announcement sparked a nationwide discussion about data breaches and cybersecurity and served as a reminder to users about the need to make sure they practice good password practices. The database was old information, so users who’d been changing their passwords routinely fared better than those who kept their old passwords.
Now, Yahoo has revealed that not only the scope of the compromised information was underestimated, but so was the number of victims. All three billion Yahoo accounts were compromised, and account information was stolen along with the login credentials. This information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, either encrypted or unencrypted security questions and answers.
Fortunately, as data breaches go, this one didn’t affect some of the more sensitive information. Data that was not compromised includes passwords in clear text, payment card data, or bank account information, as those pieces of data were stored on a server that was not accessed. However, there have already been lawsuits filed due to the original discovery, and that number may increase with this new announcement.
At the time of the original announcement, Yahoo required all of the victims they identified to change their passwords and security questions. They also issued a mandatory password change notification to users whose accounts weren’t affected as a precaution, and they invalidated the security questions that may have been compromised.
This discovery on their part has another consequence: customers who used those old passwords and security questions on other sites may not have changed them. That does mean the information connected to their email addresses—which are often the username associated with an account—could have been compromised as well, leading to account takeover of other accounts. For example, if a Yahoo user’s email address is the username for their online banking account or Amazon account and they’ve reused the password or security question/answer, the hacker now has access to it. Users are once again cautioned to change their passwords and security questions, especially on sites that may have used that same information and whether or not they were affected by the previous breach.
Read next: What’s Hiding on Your Credit Report?