wordpress blog stats
Connect with us

Hi, what are you looking for?

All 3 billion Yahoo accounts were breached in the 2013 data theft

So it turns out that all 3 billion user accounts on Yahoo had been breached during the August 2013 data theft, which is three times the initial 1 billion affected accounts figure the company had reported. Yahoo had first reported that a security breach had taken place over three years after the event, on December 14, 2016. Now the company has said that following the acquisition by Verizon and during the subsequent integration, it learnt that in fact all Yahoo user accounts had been impacted by the 2013 breach.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

Interestingly, the Verizon deal had come under scrutiny after Yahoo revealed two data breaches (here and here) after the deal was confirmed. The two breaches together compromised the data of over 1.5 billion user accounts (not unique). During the first disclosed data breach, Verizon had said that it had a ‘reasonable basis’ to believe the incident represented a material impact that could allow it to withdraw from the $4.8 billion deal. Verizon was apparently looking to get a $1 billion discount on the Yahoo deal, and eventually in February this year it did cut the deal price by $350 million.


September 2016: Yahoo blames state sponsored hackers for stealing information of at least 500 million user accounts. At the time, the company said the breach was carried out in 2014, and included data like names, email addresses, dates of birth, telephone numbers and encrypted passwords of Yahoo customers. The company also mentioned that encrypted and unencrypted responses to security questions and answers were also leaked, which can be used by the hackers to obtain common data such as mother’s maiden name, pet names, etc. of users, to hack their other accounts.

Advertisement. Scroll to continue reading.

December 2016: Yahoo wrote to its email customers informing them that a breach in 2013 compromised the data of over 1 billion user accounts. According to Yahoo, law enforcement provided it with hacked data files that were claimed to be Yahoo user data in November, which was confirmed by the company. It mentioned that hackers created forged cookies, using Yahoo’s proprietary code, that would allow them access to accounts without a password.

March 2017: Yahoo clarified that the two data breaches that took place in 2013 and 2014 happened using forged cookies. According to the company, some of the latest intrusions were likely caused by the “same state-sponsored actor believed to be responsible for the 2014 breach.” Additionally, the company mentioned that “based on the investigation, we believe an unauthorized third party accessed the company’s proprietary code to learn how to forge certain cookies.”

Recent disclosures of data breach

  • Last month, American credit rating agency Equifax disclosed that it had suffered a data breach between May and July 2017, which exposed personal and financial data of over 143 million people. A couple of weeks later it came to light that Equifax had suffered another breach in March 2017, which related to a payroll service. The company claimed that the security breach in March was communicated to the customers as well as the regulator, and that it was not related to the one in May-July.
  • In the same month, the US Securities and Exchange Commission disclosed that its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system was hacked last year. The EDGAR system stores financial documents filed by publicly traded companies.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?


A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'


India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...


There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data


Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ