News of Yahoo’s data breaches has gotten progressively worse since it first surfaced in 2016. Now that news is, quite literally, as bad as it can get.
The data breach that occurred in August 2013 is now believed to have affected every single Yahoo account that existed at the time, Yahoo parent company Verizon announced on Tuesday. In total, that’s about three billion accounts. Yes, you read that right. Three. Billion.
Those include Yahoo email accounts, as well as Tumblr, Fantasy and Flickr accounts. If there’s anything resembling good news to the breach, it’s that no sensitive financial information was affected. Names, email addresses and passwords, on the other hand, were compromised.
Verizon’s shocking new announcement comes about four months after the company acquired Yahoo’s core internet business for about $4.48 billion. The search engine and email client is now part of Verizon’s digital media subsidiary, Oath.
That’s “as big as it gets,” security researcher Jeremiah Grossman told Wired. “Maybe Google or maybe Facebook, but the next mega-breach is not going to be orders of magnitude bigger.” Grossman had previously served as a security officer for Yahoo in the early 2000s.
Verizon amended the number of it believed to be breached after receiving “new intelligence, following an investigation with the assistance of outside forensic experts,” the company said in a statement. It did not, however, reveal who those experts or security researchers were.
It’s worth noting that this breach is believed to be a separate incident from a 2013 attack which affected 500 million people. That breach is believed to have been sponsored by state actors, and stolen data was found on the dark web.
Practically, this doesn’t change much for many users. Yahoo said it will send emails to the additional two billion accounts. In the wake of the previous one billion account estimate, it pushed password changes and voided unencrypted security questions to affected users.
As always, you should review your accounts for suspicious activity. If you’ve been using the same password since 2013, change it. Follow current password best practices and use a unique password for each platform, website or service you use.