wordpress blog stats
Connect with us

Hi, what are you looking for?

All 3 billion Yahoo accounts were breached in the 2013 data theft

So it turns out that all 3 billion user accounts on Yahoo had been breached during the August 2013 data theft, which is three times the initial 1 billion affected accounts figure the company had reported. Yahoo had first reported that a security breach had taken place over three years after the event, on December 14, 2016. Now the company has said that following the acquisition by Verizon and during the subsequent integration, it learnt that in fact all Yahoo user accounts had been impacted by the 2013 breach.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

Interestingly, the Verizon deal had come under scrutiny after Yahoo revealed two data breaches (here and here) after the deal was confirmed. The two breaches together compromised the data of over 1.5 billion user accounts (not unique). During the first disclosed data breach, Verizon had said that it had a ‘reasonable basis’ to believe the incident represented a material impact that could allow it to withdraw from the $4.8 billion deal. Verizon was apparently looking to get a $1 billion discount on the Yahoo deal, and eventually in February this year it did cut the deal price by $350 million.


September 2016: Yahoo blames state sponsored hackers for stealing information of at least 500 million user accounts. At the time, the company said the breach was carried out in 2014, and included data like names, email addresses, dates of birth, telephone numbers and encrypted passwords of Yahoo customers. The company also mentioned that encrypted and unencrypted responses to security questions and answers were also leaked, which can be used by the hackers to obtain common data such as mother’s maiden name, pet names, etc. of users, to hack their other accounts.

Advertisement. Scroll to continue reading.

December 2016: Yahoo wrote to its email customers informing them that a breach in 2013 compromised the data of over 1 billion user accounts. According to Yahoo, law enforcement provided it with hacked data files that were claimed to be Yahoo user data in November, which was confirmed by the company. It mentioned that hackers created forged cookies, using Yahoo’s proprietary code, that would allow them access to accounts without a password.

March 2017: Yahoo clarified that the two data breaches that took place in 2013 and 2014 happened using forged cookies. According to the company, some of the latest intrusions were likely caused by the “same state-sponsored actor believed to be responsible for the 2014 breach.” Additionally, the company mentioned that “based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies.”

Recent disclosures of data breach

  • Last month, American credit rating agency Equifax disclosed that it had suffered a data breach between May and July 2017, which exposed personal and financial data of over 143 million people. A couple of weeks later it came to light that Equifax had suffered another breach in March 2017, which related to a payroll service. The company claimed that the security breach in March was communicated to the customers as well as the regulator, and that it was not related to the one in May-July.
  • In the same month, the US Securities and Exchange Commission disclosed that its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system was hacked last year. The EDGAR system stores financial documents filed by publicly traded companies.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...


By Stella Joseph, Prakhil Mishra, and Yash Desai The Government of India circulated proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) which...

You May Also Like


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ