Yahoo Admits: All 3 Billion Email Addresses Hacked

John Lister's picture

Yahoo has admitted that a hacking incident in 2013 affected three billion user accounts. That's three times more than it originally disclosed and means every account was affected.

The incident was one of two Yahoo hacks revealed last year. The first, announced in September, involved 500,000 accounts being hacked in 2014. The second, announced in December, was said to have involved a hack of a billion accounts in 2013.

It's the 2013 attack that Yahoo now says it believes "all Yahoo user accounts were affected." It's keen to stress that it only recently discovered that the number was bigger than originally reported. That timeline is important, given Yahoo was taken over by Verizon. Underplaying the extent of the attack could have raised financial regulation issues.

Security Answers Revealed

In the latest announcement, Yahoo doesn't say exactly what data was taken from each account, but says it believes it did not "include passwords in clear text, payment card data, or bank account information." (Source:

It appears the stolen data includes the passwords in encrypted form, along with email addresses, birth dates and security questions and answers in plain text. Yahoo notes that upon announcing the attack last year it required all users to change their password and invalidated the security questions.

Lawsuits Proceeding

As is so often the case with hacking, the danger is not necessarily that the attackers were able to access user data such as emails. Instead, their likely actions would include selling the list of emails to spammers, using the security questions and answers to try to break into accounts on other services, and attempting to decrypt the passwords - again, to try out on other services.

While normally users are warned to avoid reusing login details on multiple sites, that may be avoidable for some security questions that ask for factual information such as a mother's maiden name.

Yahoo is already facing at least 41 lawsuits over the breach that are seeking class action status. The new revelation makes that more of a concern. If the class action status was granted, any damages settlement could theoretically apply to everyone who has ever had a Yahoo account. (Source:

What's Your Opinion?

Should Internet companies face criminal penalties for security breaches, or should this be left to civil damage suits? Are security questions a suitable way to protect accounts? Should all customer data be stored in encrypted form?

Rate this article: 
Average: 5 (5 votes)


Dennis Faas's picture

If passwords can be encrypted, I don't see why security questions are not encrypted as well - especially from a standpoint of leaking data. It may require some extra programming to encrypt and decrypt the data - but if the programming itself was modular this would be an easy fix especially for a company that size.

Chief's picture

Why do people answer security questions with factual information? Mother's maiden name could be 'abc123' or '/colorpurple/'

The only requirement is YOU know what the answers are.

russell.donaldrussell_4813's picture

True but somewhat irrelevant in this case since both questions and answers were exposed.

dan400man's picture

It is relevant because mother's maiden name & certain other data are common information required to access credit.

Chief (above) is correct. I use a password manager that, in addition to holding the user ID and password for a site, allows me to type the security questions and answers I gave for that particular site. I always use some jumbled phrase that gives no hint as to the actual answers to the security questions.

dan400man's picture

Yahoo! should be sued into oblivion.