New forensic evidence has resulted in Yahoo revising the number of accounts compromised in a 2013 cyberattack. According to the company the attackers managed to steal login information from all three billion Yahoo mail accounts registered to the service at the time.
The company, which is now owned by a Verizon parent company known as Oath, had originally believed that one billion user accounts were stolen in the cyberattack four years ago. We now know that the real damage is much worse than the initial estimate, as everyone on the service has had their users names, e-mail addresses, phone numbers, dates of birth, passwords stored using the MD5 cryptographic hashing algorithm, and security questions and answers.
Yahoo says that no passwords were stored in plain text format. However, the MD5 hashing used to protect the passwords is considered to be extremely weak and could be easily decrypted by brute force methods. In other words, it may not be plain text but that’s not going to stop anyone from reading the passwords.
This 2013 attack is separate from another attempt made in 2014. The later cyberattack had apparently only succeeded in stealing passwords from 500 million accounts. Which is comparatively mild compared to the damage already done.
The one billion compromised accounts had already put this particular attack as one of the worst ever suffered by any company. Increasing the number to three-fold only makes things worse for Yahoo. Although, it probably has less to worry about now that it has been bought over by Oath.
It may be a bit too late for people to change their passwords at this point, but there’s a lesson about reusing passwords to be learnt here. Of course, two-stage authentication help minimise the damage done by data breaches and really should be enable where available.