Every Yahoo Account That Existed in Mid-2013 Was Likely Hacked

Every user who had a Yahoo account in August 2013 was likely affected by its massive hack, the company's parent, Verizon, said Tuesday.

This latest disclosure triples the number of accounts compromised by the major 2013 data breach that the company disclosed late last year. At the time, Yahoo said hackers had stolen data associated with 1 billion user accounts; the new disclosure escalates that number to 3 billion.

Despite news of the hack's much broader scope, the company says the steps needed to protect all of its users were already taken last year, when the hack was first discovered.

As originally announced, hackers in the 2013 breach stole account information such as names, email addresses, phone numbers and birthdates, as well as hashed passwords and security questions and answers. Yahoo, now known as Oath, says in late 2016 it forced password changes for all accounts that haven't done so since 2013 and invalidated old security questions and answers.

Credit card and bank account data were not taken in the breach, according to the company's investigation.

Yahoo learned that the already-vast breach had ballooned thanks to new intelligence "obtained" recently, after Verizon closed its deal to buy Yahoo. Verizon has folded together the tech giant and previously purchased AOL under the umbrella brand Oath.

Oath spokesman Charles Stewart did not elaborate on how the information was obtained, but said the new intelligence led to a new investigation by the company's security team, completed less than a week ago.

The security industry's favorite adage is that there are two types of companies: those that have been hacked and those that don't know they have been hacked. Among those that know, Yahoo stands out.

Over the course of 2016, Yahoo set and then beat its own record for the largest-ever disclosed data breach. Last September, Yahoo reported an incident affecting 500 million accounts that took place in 2014. Then, in December, came the disclosure of the 2013 hack, which was presented as "likely distinct."

The 2014 hack was believed to be state-sponsored and later led to a trial of a Canadian hacker and charges against Russian government agents — a relatively rare development for crimes of such caliber. But many questions remain about the 2013 hack and its perpetrators; in fact, the company has been unable to identify the intrusion.

An internal investigation by Yahoo's board in March found that the company's information security team, senior executives and some legal staff were aware of a state-sponsored hack in 2014, according to a regulatory filing, that adds:

"It appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team. ... However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.
"Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it."

Yahoo's then-top lawyer resigned without severance pay as a result, and then-CEO Marissa Mayer lost her 2016 bonus. She later left the company as Yahoo was bought by Verizon.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.