Yahoo, even after being subsumed by Verizon, continues to set records for data insecurity.
SUNNYVALE — Last year, Yahoo set a world record for failed online security, announcing that at least half a billion user accounts had been compromised in a security breach. Soon after, it surpassed its own mark with the revelation that another hack had hit more than a billion of the company’s three billion users.
Now, it turns out that the billion-account hack was actually a three billion-account hack — with personal data for every single Yahoo user compromised.
Verizon bought flailing Sunnyvale tech giant Yahoo for $4.5 billion in June, and began merging it with AOL to form a new company called Oath. On Tuesday, Verizon in a regulatory filing revealed that after its purchase, and while it was integrating Yahoo with AOL, it discovered the hack was much worse than Yahoo had stated.
An investigation that included outside forensic experts had concluded that “all Yahoo user accounts were affected,” the Securities and Exchange Commission filing said.
Yahoo, when it revealed the hacks last year, said that the data thieves may have taken users’ names, email addresses, phone numbers, dates of birth, scrambled passwords and security questions and answers.
In the SEC filing, Verizon said the investigation found that the data theft from Yahoo did not include passwords in clear text, payment card data or bank account information.
“The company is continuing to work closely with law enforcement,” the filing said.
Yahoo, which took a $350 million hit to its sale price because of the hacks, had attempted in the aftermath to safeguard users’ personal information, Oath noted in its joint SEC filing with Verizon.
“In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account,” the filing said.
“Yahoo also notified users via a notice on its website.”
Yahoo remains a brand under the Oath umbrella. The SEC filing said Yahoo is sending email notifications to the “additional affected user accounts.”