The biggest hack in history is actually three times bigger than we feared

Yahoo-oops x three billion.

The biggest hack in history is actually three times bigger than we feared

As ZDNet reports, Yahoo has revealed that the humungous 2013 data breach didn’t see hackers access data belonging to one billion user accounts as previously thought, but instead a staggering… wait for it… three billion accounts.

Here is the official statement from Yahoo, which is now owned by Oath, a Verizon subsidiary:

Yahoo, now part of Oath, today announced that it is providing notice to additional user accounts affected by an August 2013 data theft previously disclosed by the company on December 14, 2016. At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected. In 2016, Yahoo took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.

Sign up to our free newsletter.
Security news, advice, and tips.

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

To put that enormous figure in some context, it’s estimated that there are approximately 7.5 billion people inhabiting planet earth.

The stolen information included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. No payment data was accessed.

It’s a sorry state of affairs when I find myself more surprised that Yahoo had somehow amassed three billion user accounts by 2013 than the fact that they managed to lose control of their data.

What a disaster.

Further reading: How to delete your Yahoo account.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “The biggest hack in history is actually three times bigger than we feared”

  1. David L

    Wow! You know what? A couple years ago, a security researcher was talking about a mammoth breach, of I think, up to one billion people. He took a beating in the tech press, and from many others in infosec. I have to wonder if he accidentally stumbled across this breach? When I have time, I'll try to look it up.

  2. David L

    Hah, found it! Schneier wrote about his skepticism, as did others, but Krebs had vouched for the firm. Hold Security was the name. There are links after the write-up, for those who are interested. Schneier Post is short.

    https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.