Yahoo says all of its 3bn accounts were affected by 2013 hacking

Yahoo has admitted that every one of its three billion accounts were affected by a 2013 data theft – three times more than its earlier estimate of the largest data breach in history. The hack, which took place in August 2013, was first disclosed by Yahoo in December last year. At the time, the company said as many as one billion of its users` information may have been compromised. However, on Wednesday (October 4) it revealed that it has “recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft”. While this is not a new security issue, Yahoo said it was sending email notifications to the additional affected user accounts. However, it said the latest investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information, adding that it is continuing to work closely with law enforcement agencies. A spokesperson said: “It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. “The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account.” Yahoo said the discovery had been made during its integration with Verizon, which bought Yahoo in a £3.6 billion deal in 2016. Some 43 consumer class-action lawsuits have been filed against the company, Yahoo said in a May filing with the Securities and Exchange Commission. The latest disclosure of the massive hack came on the same day that the former boss of credit agency Equifax was questioned in US Congress over a breach in its systems that compromised the social security numbers, credit card details and other personal information of 145 million people.