News of the 2013 Yahoo breach broke last summer as it was being acquired by Verizon. The disclosure, coming just weeks after Yahoo admitted to a 2014 data breach affecting half a billion accounts, raised major questions about whether Verizon should go through with the deal. The uncertainty delayed closing by several months. But now, Yahoo is pointing to "new intelligence" that persuaded it that the scope of the 2013 breach was far more significant than previously thought.
“All Yahoo user accounts were affected by the August 2013 theft,” Yahoo said in a statement. “While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts.”
Yahoo added that no credit card information or unencrypted passwords associated with the additional affected accounts appear to have been stolen. The revised number of accounts includes those that may not have been “active” users at the time, meaning account holders who do not regularly log in, according to a person familiar with the matter, who spoke on the condition of anonymity to discuss the investigation.
Yahoo's latest admission comes at an uncomfortable time for technology firms as Washington grapples with the industry's enormous role in consumers' lives. That concern has extended to the political realm, with Facebook on Monday handing over to Congress thousands of online advertisements that are said to be linked to a Russian effort to influence the 2016 presidential election. Some conservatives, meanwhile, have called for companies such as Facebook and Google to be regulated like public utilities, in an effort to prevent right-wing speech from being marginalized.
Now Yahoo could find itself in the spotlight once again as policymakers debate how to handle a data-driven industry that faces such difficulty retaining control of its most valuable — and sensitive — assets.