Hey, remember that gigantic security breach at Yahoo? No, not that one. No, not that one either. The one where they announced that over a billion user accounts had been compromised. Well, Oath’s PR department dropped a doozy of a press release today:
Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.
Yep — every single one of the three billion accounts that Yahoo was in charge of maintaining had its information stolen. If you ignore the press release’s spin of what wasn’t stolen, you’ll notice that they omit what was: as acknowledged previously, that includes names, email addresses, MD5 hashed passwords, phone numbers, birthdates, and security questions and answers.
This is the second greatest example of incompetence I’ve seen today.