Hacks Are Always Worse Than Reported: All Of Yahoo Email Was Hacked In 2013. All. Of. It.
from the yes-all-of-it dept
Given recent and massive stories about data security breaches by some very, very large players in the technology and financial spaces, we have developed a mantra that you should have on repeat in your head any time you read stories about a breach: however big the breach is reported to be initially, it’s always bigger. We formulated that 12 years ago and it has continually held true. We saw it with Equifax. We saw it with Deloitte. And you will also likely recall that 2013 and 2014 were not banner years for data security at a little company called Yahoo. Hacks of Yahoo’s email platform were reported initially to be in the hundreds of thousands in terms of the number of accounts compromised. As Verizon began negotiating the purchase of Yahoo, that number crept into the hundreds of millions. Eventually, Yahoo settled on a billion compromised accounts resulting from the hacks.
The Verizon deal went through, with a hefty price reduction as a result of the security breaches. And so it’s under the Verizon umbrella that Yahoo informed the public this past week that the need for numerical quantification for the two security breaches has been rendered moot. Because it’s much easier to just say, “Yahoo email was compromised.” As in: all of it.
In 2016, Yahoo disclosed that more than one billion of about three billion accounts had likely been affected by the hack. In its disclosure Tuesday, the company said all accounts were likely victimized. Yahoo included the finding in a recent update to its Account Security Update page, saying that it found out about the wider breach through new intelligence obtained during the company’s integration into Verizon Communications. Outside forensic experts assisted in the discovery, the company said.
“It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account,” Yahoo said Tuesday.
Also important to note is that the yahoos at Yahoo were only able to correctly inform the public as to the specific number of accounts breached in these attacks once the use of numbers no longer mattered. Tooting its own horn about the actions it took to protect “all accounts” when it didn’t even know that “all accounts” had indeed been compromised violates PR rule number 1: don’t request praise in the middle of a crisis. The crisis, in this case, is why anyone should have a Yahoo email account at all moving forward, given how laughably bungled this whole mess has been handled.
But the larger point harkens back to the introduction: remember the mantra. These things are always, always way worse than initially reported. Why companies engage in this sort of slow-motion bandaid-pulling is beyond me, but it sure seems to be the playbook.