In a statement posted online today, Yahoo — now rebranded as Oath and part of Verizon — corrected the estimation on a security breach announced last year from the initial assessment of one billion to "all Yahoo user accounts."
This
announcement refers to
a security breach that took place in 2013 and which came to light in December 2016.
Three months earlier, in September 2016, Yahoo admitted to another data breach that exposed the details of
over 500 million users, which took place in 2014. The US Department of Justice and the FBI
indicted four suspects — three Russian nationals and a Canadian — for that breach.
No details became public about the 2013 security incident, except the number of affected users and that hackers stole names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
New breach details emerge during Verizon integration
Verizon was slated to buy Yahoo even before the first data breach announcement (2014 incident), and even agreed to buy the company following the second breach announcement (the 2013 incident), albeit it cut the purchase price from $4.83 billion by $350 million to $4.48 billion.
Yahoo said today that it only recently became aware of the scope of the breach, during the integration of Yahoo data inside Verizon's infrastructure.
