The number of users affected by Yahoo’s 2013 data breach has jumped to include all 3 billion accounts, up from the 1 billion previously reported at the end of 2016.
Yahoo, which is now a part of Verizon’s Oath unit, said it bumped up the number of affected accounts after obtaining new intelligence from outside forensic experts. Although the breach is not new, Yahoo indicated it’s sending email notifications to the additional 2 billion affected users.
Stolen user account information did not include passwords in clear text, payment card data, or bank account information, according to the company.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” Verizon’s Chief Information Security Officer Chandra McMahon commented in a statement. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
Following the news of an increase in affected users, the U.S. Senate Commerce Committee indicated it intends to hold a hearing later this month over the massive data breach.
Sen. John Thune said he will ask witnesses if “new information has revealed steps they should have taken earlier, and whether there is potentially more bad news to come.”
In September, a California judge ruled that Yahoo must face litigation related to three data breaches, which were already considered massive before the billions of additional affected users came to light.
Despite the scale, Yahoo waited three years before revealing the first breach. U.S. District Judge Lucy Koh in San Jose, California, noted some victims could have changed their passwords or canceled accounts if Yahoo hadn’t been so slow to disclose.
In February Verizon slashed $350 million from its original $4.83 billion offer to acquire Yahoo in the wake of revelations about multiple massive data breaches.
Rich Campagna, CEO of security company Bitglass, called the latest revelations about the breach unprecedented.
“Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorized access,” Campagna noted. “While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented.”
“It’s difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely,” he added. “Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm.”