So it turns out that all 3 billion user accounts on Yahoo had been breached during the August 2013 data theft, which is three times the initial 1 billion affected accounts figure the company had reported. Yahoo had first reported that a security breach had taken place over three years after the event, on December 14, 2016. Now the company has said that following the acquisition by Verizon and during the subsequent integration, it learnt that in fact all Yahoo user accounts had been impacted by the 2013 breach. Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement. Interestingly, the Verizon deal had come under scrutiny after Yahoo revealed two data breaches (here and here) after the deal was confirmed. The two breaches together compromised the data of over 1.5 billion user accounts (not unique). During the first disclosed data breach, Verizon had said that it had a ‘reasonable basis’ to believe the incident represented a material impact that could allow it to withdraw from the $4.8 billion deal. Verizon was apparently…
