Yahoo confirmed overnight that, alarmingly, that all of its 3 billion customers were likely hit by its colossal data breach in 2o13 – not the 1 billion first suggested by the company in late 2016.
This revelation came from Oath, a subsidiary of US telecoms company Verizon, which acquired Yahoo in June for $4.48 billion.
When the initial breach was revealed, the acquisition was put in jeopardy, but instead the price of the deal had been cut after the 2013 data breach was revealed, the other 2014 hack, which affected 500 million accounts.
>See also: Yahoo data leak: the biggest on record
After Yahoo was acquired by Verizon, the telecoms company “obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected”.
It added: “While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts.
“The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information.
“The company is continuing to work closely with law enforcement.”
Chandra McMahon, chief information security officer at Verizon, said: “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Although the Yahoo breach is the largest hack in terms of the number of people affected, the recent Equifax data breach is viewed as more damaging due to the nature of the information gained.
>See also: Yahoo data breach exceeds 1 billion accounts
Sam Curry, CSO at Cybereason, comments: “The raw number of compromised accounts increase verges on the ridiculous and loses meaning as we get numbers normally only seen in astronomy. 3 billion, 2 billion, 1 billion… how does this have personal meaning when it means half the population of the world?
“The biggest issue is that this is another blow to our collective privacy: the cost to gain information on anyone plummeted and should be at the forefront of the debate. This is effectively compounding the three real issues behind the Equifax breach. Today, everyone should have been working under the assumption that they were affected years ago but may need reminding to watch their identities and credit for abuse.”
According to Frances Zelazny, female cybersecurity industry expert and VP of behavioural biometrics startup, BioCatch, Yahoo’s guidelines reflect the high risk of social engineering, email fraud and account takeover that emanates from large scale breaches. She said that with an email coming supposedly from a person that you know, there will be a higher likelihood of you clicking on a malicious link, spreading malware and ransomware.
By having access to email accounts and passwords, fraudsters also have a higher chance of gaining access into use bank accounts because most people reuse passwords or make multiple versions of the same passwords that are easy to hack. Users have only a chance at preventing harm to themselves by following the guidelines provided by Yahoo, which are just good cyber hygiene, but the responsibility really lies with our institutions, who should stop relying on static forms of data to verify identity or legitimise transactions.
She concluded that it is high time to switch to dynamic forms of authentication, like behavioural biometrics, that do not rely on fixed data points and go straight to the user, not information, devices or location information to verify identity.