Highlighting just how complicated it's apparently been, even internally, to sort out the major breach of Yahoo from 2013 that was only first revealed to the public 10 months ago, Yahoo's new parent company Verizon Communications just disclosed that actually far more people's Yahoo accounts were affected in that breach than was previously understood. Rather than 1 billion accounts, or about a third of users who had ever used the platform, all 3 billion accounts were actually impacted, as the Wall Street Journal is reporting.
This revelation comes via a spokesman for the newly created Verizon unit Oath, under which the Yahoo and AOL brands now fall. Per the Journal, the spokesman ominously cited "new information from outside the company" that they received last week, declining to clarify further where the new information came from revealing the greater extent of the breach. While likely less damaging than the Equifax breach given the extent of the information believed, the Yahoo dataset breached in the hack included things like passwords, email addresses, dates of birth, and phone numbers.
Bloomberg reports that the stolen data did not include "passwords in clear text, payment data or bank accounts."
Back in March, the FBI indicted four Russians in the Yahoo hack, saying that it had likely come as a result of "a "spear phishing" via an email to a top-level executive at the company that resulted in hackers getting key login information for the company's servers. A two-year investigation by the FBI's San Francisco office resulted in charges of hacking, wire fraud, trade secret theft, and economic espionage against the four suspects, the first of their kind against Russian officials, including two members of the Russian intelligence service FSB.
Yahoo has never said that they identified the source of the hack they did point to a "state sponsored actor" when first revealing a smaller hack of 500 million accounts believed to have happened in 2014, a year ago last month. However as Bloomberg reminds us, the original hack was discovered by internet security expert Andrew Komarov, who had allegedly observed Yahoo's dataset being sold on the dark web three times, including once to a probable intelligence source that listed out "10 names of U.S. and foreign government officials and business executives to verify that their logins were part of the database."
In terms of number of users, the Yahoo breach was already the largest in history, and now it's likely to hold on to that title even longer.