Yahoo is Really, Really Terrible

It only took four years, but Yahoo (now part of Oath) is now reporting all accounts that existed at the time of the Aug, 2013 data theft were likely affected. Previously, Yahoo disclosed that more than 1 billion of the approximately 3 billion accounts existing in 2013 had likely been affected, now it's pretty certain all 3 billion were. By our account that's pretty terrible. 

With a more measured approach, Ajay Uggirala, director of product marketing at Imperva provided Website Magazine with the following commentary:
 
"It's not surprising that the Yahoo! breach is larger than originally reported. Troves of data from this breach apparently compromised as long ago as 2012, popped on the Dark Net in 2016, which likely means that at least some of this data has been circulating through the Dark Net for years. 
 
"The Yahoo! breach and others confirm what we've suspected, that attackers are still ahead of enterprises, even the larger companies, when it comes to covering their tracks. The alleged breaches were only detected once the leaked information surfaced on the Web. 

"In these mega breaches, time is still a factor. While the passwords were not leaked in clear text, the time between leakage and detection allowed the attackers, using modern computing power, to crack most of the passwords.
 
"As Imperva researchers found in our report, ' Beyond Takeover - Stories from a Hacked Account,' attackers aren't quick to act. More than 50 percent of the accounts were accessed 24-hours or more after the credential takeover. The result is a brief window where if the attack is suspected, a quick password change results in a 56 percent chance of preventing an account takeover. Therefore, if enterprises had promptly detected the breaches a lot of the potential damage could have been avoided." 

What do you think of Yahoo's admission/findings of a 100 percent account breach, four years later?