It now looks as if every one of Yahoo’s 3 billion account holders was affected by the data breach in 2013, a figure dramatically larger than the original estimate of 1 billion. Yahoo, which is now part of Verizon’s media and telematics subsidiary Oath Inc, was breached again in 2014, but did not announce this until 2016 – a delay that Congress denounced as ‘unacceptable’.
In the 2014 breach, hackers effectively stole Yahoo’s cookie cutters; allowing them to purloin users’ personal data, but not their cleartext passwords or financial information.
Yahoo maintains that the two attacks were separate episodes, but may have been perpetrated by the same attacker – possibly a state-sponsored actor. Not everyone agrees with this prognosis, suggesting that it’s more likely to be a criminal organisation and that the data is probably now in the hands of Eastern European government-affiliated bodies.