You may remember a story from last year about Yahoo having the largest security breach in history. The one that actually happened in 2013, 3 years prior to being announced. In its announcement in 2016, Yahoo stated that the breach affected 1 billion accounts, about a third of its total. The problem is that they were just a bit off in their numbers. It turns out that is a number closer to 3 billion, which was every account at the time of the breach. The breach caused Verizon to shave about $350 million from the purchase price for Yahoo, but did not stop them from proceeding with the acquisition.
The revelation is a result of the Verizon acquisition. After the transaction cleared, Verizon began an investigation into the breach. As we now know this was a wise decision by Verizon. The investigation, assisted by outside investigators, discovered that teh breach affected all accounts. The investigation also seems to have found that clear text passwords and financial information were not stolen in the breach. However Clear Text account recovery questions and hashed passwords were. As a precaution Yahoo is notifying affected users, and forcing password and security question changes.
Verizon and its Oath division deserve credit for doing their due diligence and investigating the breech. For their part they have publicly stated that they are “…committed to the highest standards of accountability and transparency…”. It looks like, at least to the naked eye, they are making good. Verizon may have a bit of buyer’s remorse, but it is clear that they still see value in Yahoo. To paraphrase Verizon’s Chief Information Security Officer , Chandra McMahon, Verizon feels that now Yahoo will have more resources to fix its security. Maybe this will help matters, and Yahoo will move forward. Or, maybe for the folks out there who still have Yahoo accounts to delete them and move on. Only time will tell.