Remember the news about the big Yahoo data breach last year? More importantly, remember wondering if your data was affected? As it turns out, yes, merely having an account back then meant your information ended up in the hands of the perpetrators.
Back then, Yahoo thought “only” 1 billion people were affected (up from initial reports of 500 million). But today the beleaguered company released a disclosure notice to the U.S. Securities and Exchange Commission (SEC) reporting the discovery of new evidence proving that the breach extended to every one of the 3 billion accounts registered at the time.
The SEC is a federal agency that protects investors and helps ensure fair business practices.
Yahoo discovered the new evidence during the ongoing process of merging with AOL to create the new company, Oath, following its full acquisition by Verizon earlier this year.
After relaying the bad news, the notice immediately launches into defensive mode, asserting that Yahoo “took action to protect all accounts.”
This “action” included informing the known affected users about the breach, requiring password changes, and removing any encrypted security questions and answers that might be used to access an account.
Remember, though, that the data breaches actually took place in 2013, so all this notifying took place three years after the fact. The news is also problematic as this means roughly 2 billion users didn’t get direct notifications. Yahoo points out, though, that it also notified all users of the breach on its website.
Verizon is almost certainly less than thrilled with the news as the breach was the primary reason for the $350 million discount it received off the price of Yahoo. As we reported almost exactly a year ago, the breach almost cost Yahoo the entire deal.