As Yahoo revealed the cybersecurity breach that took place in late 2014, the company claimed that hackers were able to steal the personal information of 500 million users. However, a former Yahoo executive claims that the number of compromised accounts is much higher than that.
The former Yahoo executive, who is familiar with the security practices of the company and wishes to remain anonymous, told Business Insider that with how the back-end systems of Yahoo are organized, the security breach that was reported would have compromised a higher number of user information.
"I believe it to be bigger than what's being reported," the former executive said. While he is no longer connected with Yahoo, he claims that he is still in touch with company employees, including the ones involved in the investigation of the incident.
Yahoo did say that it was at least 500 million users that were affected by the security breach, but many expected the number of compromised accounts to not deviate far from that figure. However, the former Yahoo executive estimated that the number of users that could have had their personal information stolen could be between 1 billion to 3 billion.
The stolen information from the user accounts may include names, email addresses, birth dates, telephone numbers, encrypted passwords, and in certain cases, encrypted or unencrypted security questions and their corresponding answers.
The former Yahoo executive said that the products of Yahoo use one main user database for the authentication of their users. He described the database as a huge one, and at the reported time of the security breach, it contained the aforementioned information on about 700 million to 1 billion active users who access Yahoo and its services monthly. In addition, there were many other accounts that were inactive but had not yet been deleted.
This is the database that the hackers were able to infiltrate, the former Yahoo executive said. It is possible that the hackers did not steal all the information inside the database after they broke in, but with Yahoo not revealing many details about the incident yet, it is hard to say which number of compromised accounts is the real one.
Yahoo has also previously claimed that it was a state-sponsored group that launched the hacking attack. However, security experts have refuted the allegations, as there is no evidence of such and the actions carried out by the hackers more closely followed the patterns of criminals.
In addition, the security breach went after personal information, which is data that has no point for governments to target.