It is not often that a company which has suffered a hugely embarrassing data breach can expect to feel a sense of schadenfreude, but this is likely to be the emotion running through embattled Equifax after Yahoo has admitted that a further investigation of its 2013 breach has revealed that all of its 3 billion accounts were impacted, not 1 billion as it previously thought.
This will include all people who have Yahoo emails, and all people who had registered for any other Yahoo service like Flickr or fantasy sports.
The company, now a part of Oath after it was acquired by Verizon for $4.5bn and merged with AOL, said that it discovered the new evidence while integrating the companies.
It tried to paper over the cracks today by noting that when the 2013 breach was discovered and disclosed – in 2016 – the company “took action to protect all accounts.”
Yahoo said that as it took action to protect all accounts previously, “no additional notifications regarding the cookie forging activity are being sent in connection with this update”.
In response, UK Information Commissioner Elizabeth Denham said: “Yahoo has indicated that significantly more people may have been affected by the data breach reported last December than first thought and that all user accounts may have been affected by the August 2013 theft. This is understood to include all UK Yahoo account holders at the time. This gives us further cause for concern.
“It is very disappointing to see the company is apparently still uncovering additional problems despite the length of time since the breach occurred. We are talking to Yahoo! and have advised them to contact all customers affected as soon as possible.
“We continue to investigate alongside the relevant international authorities to ensure the data protection interests of UK customers are considered.”
Broken security blamed as Yahoo warns of 1bn hack
Mayer told to come clean over Yahoo data breach
Yahoo fesses up to largest data breach in history
Personal data on 200m Yahoo users up for grabs