Verizon Communications Inc. (NYSE: VZ) disclosed that portal company Yahoo had suffered hacks of all of its user accounts, a number it put at about 3 billion, which is equivalent to 40% of the world’s population. Some users almost certainly had more than one account. Earlier disclosures put the number at about a billion. As of yet, the company has not explained how the figure could have grown so large and have been discovered so late.
That the number should grow so much and be discovered so late must make consumers with any of their personal data online wonder if any of their information is safe, ever.
Verizon announced it would buy Yahoo in July 2016. The deal, for $4.48 billion, closed in June. The newly disclosed hack level was discovered sometime after the deal closed, but years after the event or events happened. Yahoo’s initial announcement of the hack said it happened in August 2013 — more than four years ago.
The news comes on the heels of the announcement that Equifax Inc. (NYSE: EFX) had 145.5 million accounts hacked. The figure is dwarfed by the Yahoo number, but presumably a credit agency keeps a larger amount of sensitive data than a web portal company does. At least, Yahoo account holders should hope so.
Many of the accounts were probably old, and even orphaned by their users. This does not mean the data about these people was not useful. It may be months before Yahoo account holders find out exactly what happened to their data. If past breaches of large databases are any indication, they may never know at all.
Yahoo account holders can take some comfort in the actions taken when the first hack of a billion accounts was announced. Verizon points out:
Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.
It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account.
Not nearly as much comfort as if the hack had not happened at all.