You are here: Home » Technology » News » Others
Business Standard

All 3 billion accounts hacked in 2013 data theft, says Yahoo

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders



on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Communications Inc (VZ.N).
The news expands the likely number and claims of class action lawsuits by shareholders and account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in US. federal and state courts, according to company securities filing in May.
John Yanchunis, a lawyer representing some of the affected users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.
“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”
said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced to cut the price of its assets in a sale to
on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.
But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.
Many users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.
in February lowered its original offer by $350 million for assets in the wake of two massive cyber attacks at the internet company.
Some lawyers asked whether would look for a new opportunity to address the price.
“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.
did not respond to a request for comment about any possible lawsuit over the deal.
Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.
In August in the separate lawsuit brought by Yahoo’s users, US. Judge Lucy Koh in San Jose, California, ruled must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.
Also on Tuesday, Senator John Thune, chairman of the US. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and The US. Securities and Exchange Commission already had been probing over the hacks.
The closing of the deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that disclosed last year. The company paid $4.48 billion for Yahoo’s core business.
A official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.
The company said it was sending email notifications to additional affected user accounts.
The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.
The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.
Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.
“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

First Published: Wed, October 04 2017. 08:32 IST