The situation for Yahoo has most definitely gone from bad to worse this week, as the email provider – which is currently under review by the Irish Data Protection Commissioner (DPC) for a breach in 2014 that put 500 million of their customer’s email accounts and personal details at risk – has admitted that a separate 2013 attack affected all three billion of its accounts. The personal information stolen in this attack includes names, email addresses, telephone numbers, date of birth, hashed passwords and security questions (some of them unencrypted).
This breach will go down as one of the biggest mess-ups in security history.
The Irish DPC’s office was first notified of the 2013 breach in December 2016, and initially chose not to investigate the incident. However, with the tally of affected customers rising to three billion, it may have to change its stance here.
As Yahoo’s European HQ is in Dublin, this makes the Irish DPC Yahoo’s primary supervisory authority.
When approached about the new revelations, Helen Dixon, the DPC, commented: “We are continuing to examine the facts that are being made available to us on that incident, so that we can determine next steps.”
People may think Yahoo is a dinosaur in this day and age, but the fact is that even inactive accounts have a wealth of information associated with them. If you ever had a Yahoo email address and didn’t deactivate it, you may be affected. More importantly: if your current passwords stem from a password you originally used for Yahoo, then your current accounts may be at risk.
It is always a good policy to use a different password for all online accounts. If you don’t do this and used Yahoo, we recommend changing your password for your current online accounts immediately.
With only a few months until the EU General Data Protection Regulation (GDPR) is enforced, breaches like this highlight the importance of robust security policies to secure your customers’ personal data.
Gain full visibility over the flow of the personal data through your organisation to meet the terms of the GDPR with the new Data Flow Mapping Tool.