When Yahoo disclosed in December that a billion (yes, billion) of its users' accounts had been compromised
in an August 2013 breach, it came as a staggering revelation. Now, 10
months later, the company would like to make a correction: That incident
actually exposed three billion accounts—every Yahoo account that
existed at the time.
On the one hand, this new
information doesn't really change things in a practical sense, because
the initial billion account estimate was already enormous—you could
safely assume you were impacted—and Yahoo took protective steps for all
users in December, like resetting passwords and unencrypted security
questions. On the other hand, three billion accounts.
"They
are as big as it gets," says Jeremiah Grossman, who worked as an
information security officer at Yahoo for two years in the early 2000s
and is now the chief of security strategy at SentinelOne. "Maybe Google
or maybe Facebook, but the next mega-breach is not going to be orders of
magnitude bigger.""
In this case, it took
Yahoo three years to discover and disclose the breach, and almost four
years to complete the investigation. And let's not confuse all of that
with a separate Yahoo breach
perpetrated in late 2014, and not disclosed until September 2016, that
impacted 500 million accounts. That alone still holds as the
second-biggest known breach of all time, in terms of impacted users.
(One could argue that the recent Equifax breach,
which impacted 145.5 million people, will ultimately have greater
negative overall impact because of the particular sensitivity of the
data involved.)
The most recent disclosure also
comes after Yahoo's recent acquisition by Verizon and subsequent merger
with AOL. Disclosing two enormous breaches back to back at the end of
2016 put a strain on the acquisition process, and even reportedly led Verizon to demand a price reduction.
Even
though three billion sounds like a dramatic number, Grossman argues
that it shouldn't come as a surprise. "To everybody on the outside, it
looked to us when we originally read all the information that [the
breach] must have impacted all the accounts," he says. The attackers
"got so deep in the system, I couldn’t imagine why certain accounts
would have been affected and not others."
Yahoo published information about the revision on its Account Security Update page,
attempting to clarify the timeline of events. "Subsequent to Yahoo's
acquisition by Verizon, and during integration, the company recently
obtained new intelligence and now believes, following an investigation
with the assistance of outside forensic experts, that all Yahoo user
accounts were affected by the August 2013 theft," the company wrote.
The
update from Yahoo is a new high—that is to say, a new low—in terms of
mega-breach scale. Think of it this way: On Monday, Equifax faced
warranted criticism when it revised the number of people affected by its
massive data breach from 143 million to 145.5 million. Yahoo's
adjustment weighs in at 800 times that. The silver lining, one imagines,
is that it quite literally can't get any worse.
Source: WIRED
Source: WIRED