The actual tally of stolen user accounts from the hack Yahoo experienced could be much larger than 500 million, according to a former Yahoo executive familiar with its security practices.
The former Yahoo insider says the architecture of Yahoo’s back-end systems is organized in such a way that the type of breach that was reported would have exposed a much larger group of user account information.
“I believe it to be bigger than what’s being reported,” the executive, who no longer works for the company but claims to be in frequent contact with employees still there, including those investigating the breach, told Business Insider. “How they came up with 500 is a mystery.”
To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion.
According to this executive, all of Yahoo’s products use one main user database, or UDB, to authenticate users. So people who log into products such as Yahoo Mail, Finance, or Sports all enter their usernames and passwords, which then goes to this one central place to ensure they are legitimate, allowing them access.
That database is huge, the executive said. At the time of the hack in 2014, inside were credentials for roughly 700 million to 1 billion active users accessing Yahoo products every month, along with many other inactive accounts that hadn’t been deleted.
“That is what got compromised,” the executive said. “The core crown jewels of Yahoo customer credentials.”
Yahoo’s UDB is still the main repository for user credentials and is still in use, LinkedIn profiles from current Yahoo employees and a 2015 court ruling show.
It’s unclear how the hackers actually exfiltrated the database, and Yahoo has not commented further on how the breach happened or when it was discovered, citing an active investigation. Though it is certainly plausible that a hacker group could access a database but not steal everything within, lending credence to Yahoo’s official number.
Yahoo declined to specify how many breach notification emails it sent out to affected users or how it reached the 500 million number.