A massive breach of Yahoo’s systems in 2013 impacted every account in existence at the time, the company said last night in a new filing with the Securities and Exchange Commission.
Yahoo disclosed the breach last December when it revealed that it believed 1 billion accounts were compromised. Last night, the company revised that figure to 3 billion.
“Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” the company, which was acquired by Verizon this year and is now part of Oath, said in a statement.
Last December, Yahoo notified all of its account holders of the breach, required a password reset and invalidated existing unencrypted security questions and answers. The 2013 breach was one of two disclosed by Yahoo last year; the second occurred in 2014 when hackers walked off with a half-billion account records. The 2014 breach was disclosed in September 2016.
Yahoo said at the time that the events were separate incidents, but that it was possible the same actor was responsible for both attacks.
In Tuesday’s statement, Yahoo reaffirmed that the stolen data did not include cleartext passwords, nor did it include payment card or bank account information. The attackers made off with names, email addresses, telephone numbers, dates of birth, hashed passwords and some security question and answer data.
Yahoo has maintained that the attackers behind these breaches are state-sponsored, despite some skepticism from outside analysts.
In a November 2016 SEC filing, Yahoo said that its internal security team and outside analysts concluded that during the 2014 breach, attackers were able to steal a proprietary process Yahoo uses to create authentication cookies. The attackers were able to use this to forge cookies and access internal accounts without the need for authentication.