Yahoo Triples Estimate of Breached Accounts to 3 Billion

By Robert McMillan and Ryan Knutson Features Dow Jones Newswires

A massive data breach at Yahoo in 2013 was far more extensive than previously disclosed, affecting all of its 3 billion user accounts, new parent company Verizon Communications Inc. said on Tuesday.

Continue Reading Below

The figure, which Verizon said was based on new information, is three times the 1 billion accounts Yahoo said were affected when it first disclosed the breach in December 2016. The new disclosure, four months after Verizon completed its acquisition of Yahoo, shows that executives are still coming to grips with the extent of the security problem in what was already the largest hacking incident in history by number of users.

A spokesman for Oath, the new name of Verizon's Yahoo unit, said the company determined last week that the break-in was much worse than thought, after it received new information from outside the company. He declined to elaborate on the source of that information. Compromised customer information included usernames, passwords, and in some cases telephone numbers and dates of birth, the spokesman said.

The disclosure is the latest chapter in a long-running saga that tattered the reputation of a former Silicon Valley icon and continues to spawn problems for its new owner. It began in September 2016, two months after Verizon agreed to acquire the fallen internet pioneer, with Yahoo first disclosing a separate attack that took place in 2014 and affected 500 million accounts. Yahoo later revealed the larger 2013 incident.

Several other major cyberattacks have focused attention on the vulnerability of big companies that possess enormous amounts of vital personal information about their customers.

On Tuesday, lawmakers slammed former Equifax Inc. Chief Executive Richard Smith for his company's handling of a data breach that affected more than 140 million consumers. The Securities and Exchange Commission and the accounting firm Deloitte also disclosed major hacks in recent weeks.

Continue Reading Below

The number of individuals affected by the 2013 attack is smaller than 3 billion, because some people have multiple accounts across Yahoo's sites, including email, fantasy sports, Tumblr and Flickr, the spokesman said. He said Oath will immediately begin notifying the users who own the additional roughly 2 billion accounts. That is expected to take several days and occur via email, the spokesman said.

Victims won't need to take any additional action, however, because Yahoo already forced all account holders to reset their passwords after the initial December 2016 disclosure.

In an emailed statement, Verizon's chief information security officer, Chandra McMahon, said the company is "committed to the highest standards of accountability and transparency" and that Yahoo's cybersecurity team was benefiting from Verizon's "experience and resources."

The breaches have been costly for Yahoo. Verizon agreed to buy it in mid-2016 for $4.83 billion, but the deal was delayed after Yahoo's disclosure of the two large hacks, plus a third incident in which hackers forged digital files, called cookies, that could have been used to access 32 million user accounts.

Verizon knocked $350 million off the deal price as a result of those breaches, ultimately paying $4.48 billion. The deal closed in June 2017, and Verizon gave up its right to sue the entity that sold Yahoo, now called Altaba Inc., over any allegations that it had covered up the hacks. Yahoo now operates alongside AOL in Verizon's Oath subsidiary, which is seeking to build a digital media and advertising business.

In addition, Yahoo's former Chief Executive, Marissa Mayer, gave up her 2016 cash bonus following the incident and the company's top lawyer, Ronald Bell, resigned after a board review found problems with the company's handling of this and the other breaches.

About 43 consumer class-action lawsuits have been filed against the company relating to these security incidents, Yahoo said in a May filing with the SEC. The SEC itself has opened an investigation into whether Yahoo should have reported the two incidents sooner to investors.

The Oath spokesman said the new disclosure won't affect the terms of Verizon's acquisition, in which it agreed to evenly split with Altaba costs and liabilities related to any lawsuits from consumers or partners about the breaches. Altaba retains liability for the SEC investigation and any shareholder lawsuits.

The status of the SEC investigation is unclear. The SEC issued guidance in 2011 that required companies to disclose material information about cybersecurity issues, and legal experts have said the agency has been looking for a case to clarify what type of conduct would warrant an enforcement action.

In the May SEC filing, Yahoo also said it is "cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents" about the incident, including the Federal Trade Commission, the SEC, the U.S. Attorney's Office for the Southern District of New York, and two State Attorneys General.

Bob Lord, who oversaw cybersecurity at Yahoo, left the company last month. Chris Nims, who previously worked at AOL, now oversees cybersecurity for all of Oath, and works closely with Verizon's Ms. McMahon.

Write to Robert McMillan at Robert.Mcmillan@wsj.com and Ryan Knutson at ryan.knutson@wsj.com

(END) Dow Jones Newswires

October 03, 2017 17:38 ET (21:38 GMT)