Yahoo hack gets even worse: 3 billion accounts (all of them) impacted

Watch my ‘book of passwords’ video

I’m as tired of “hold my beer” jokes as you are, but this news seems to beg for one.  While Equifax CEO Richard Smith was saying very little about his former firm’s massive hack during a three-hour hearing before Congress yesterday, Yahoo (now, called Oath, and part of Verizon) quietly announced a most remarkable thing: 3 billion Yahoo account holders were impacted by a 2013 hack at the firm.  In other words, every Yahoo account worldwide was hacked.

Yahoo had said in December that far fewer accounts were hacked.

“At that time, Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected,” the notice, filed with the Securities and Exchange Commission, reads.  “Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts.”

It might seem like 3 billion trumps 145 million, but don’t forget that a) These are both unimaginably large numbers and b) The data stolen from Equifax is far more sensitive, so the Yahoo hack pales in comparison.

Still, it’s hard to get your head around a number like 3 billion.  That was the entire population of Earth when I was a kid, for example.  (Now it’s more than double that, but you get the point). Of course, many people have multiple accounts, so we can’t say about half of all global citizens were hacked during the Yahoo incident.

We can say this: Some very high percentage of Internet users worldwide had better change their passwords.  Yahoo forced password changes after the incident, of course, but it’s highly likely that victims re-used those Yahoo passwords in other places.  All those passwords are now toxic. At an absolute bare minimum, you should change passwords that you haven’t touched since 2013. Some computer somewhere — probably hundreds of them — is currently churning through all 3 billion user/pass combinations at every site and service imaginable, looking for “keys” that fit a lock.  It’s only a matter of time.

I know many of you reading think you are way to smart to fall for that, but we all have accounts we’ve long forgotten.

Last year, I attended a very visceral demonstration of this.

The folks at Mozilla and the Tactical Technology Collective set up a clever art installation/ pop-up shop in lower Manhattan called “The Glass Room” to make several points about privacy. It had several exhibits, but the relevant one here: visitors could look at an encyclopedia-style pile of books in which every password stolen from LinkedIn was printed. They were listed alphabetically, so every few minutes someone exclaimed when they found their password printed in the volumes. Here’s a video of that.

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.

Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1524 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

1 Comment

  1. The biggest security-related ‘hole’ is the kind of accounts that [for instance] LastPass won’t store long-in info for. I use one that’s so ancient the encryption system isn’t used anymore, and the software hasn’t been maintained for over ten years. I’m almost tempted to take a spreadsheet and use it and then encrypt it, simply because of the vulnerabilities of cloud-based data storage. *My wife still refuses to use any password manager (she regards them as dangerous; she also regards using the program on a programmable thermostat as…dangerous); many others do as well, with the most common reason being that the person would have to learn and remember something and they’re–afraid to come out of it looking badly.

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.