Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients' claims.

"I think we have those facts now," he said. "It's really mind-numbing when you think about it."

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said "recently obtained new intelligence" showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

"This is a bombshell," said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo's former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo's users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo's core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers' tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to."

Passwords can be inconvenient, but they’re important if you want to keep your information safe. Protecting your personal information starts with STOP. THINK. CONNECT.: take security precautions, think about the consequences of your actions online and enjoy the Internet with peace of mind. Here are some simple ways to secure your accounts through better password practices. MAKE YOUR PASSWORD A SENTENCE

A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!

UNIQUE ACCOUNT, UNIQUE PASSWORD

Having separate passwords for every account helps to thwart cyber criminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.

WRITE IT DOWN AND KEEP IT SAFE

Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternately use a service like a password manager to keep track of your passwords.

LOCK DOWN YOUR LOGIN

Fortify your online accounts by enabling the strongest authentication tools available, such as bio-metrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.

Each month, Nebula Consulting posts vulnerability notes from CERT’s vulnerability database. Check back often for updates! 06 Sep 2017 - VU#112992 - Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data.

In Apache Struts 2 framework, versions 2.5 to 2.5.12, the REST plugin uses XStreamHandler with an instance of XStream to deserialize XML data. Because there is no type filtering, a remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code in the context of the Struts application.

A remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code on vulnerable servers in the context of the Struts application.

Solution: Apply an update. The vendor has released version 2.5.13 to address this vulnerability. No workaround is possible according to the vendor, so patching is strongly recommended.

08 Sep 2017 - VU#166743 - Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities.

Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.

Das U-Boot's AES-CBC encryption feature uses a zero (0) initialization vector. This allows an attacker to perform dictionary attacks on encrypted data produced by Das U-Boot to learn information about the encrypted data.

An attacker with physical access to the device may be able to decrypt the device's contents.

Solution: The CERT/CC is currently unaware of a practical solution to this problem. U-Boot versions prior to 2017.09 contain the vulnerable code; the feature was deprecated and removed in the 2017.09 release.

12 Sep 2017 - VU#240311 - Multiple Bluetooth implementation vulnerabilities affect many devices.

A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in worst case allow an unauthenticated attacker to perform commands on the device. For more details, please read Armis's BlueBorne disclosure website and Technical White Paper.

An unauthenticated, remote attacker may be able to obtain private information about the device or user, or execute arbitrary code on the device.

Solution: Apply an update. Patches are available in the latest releases of Windows (see Microsoft bulletin), iOS, the Linux kernel, and Android (see September 2017 security bulletin).

13 Sep 2017 - VU#101048 - Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability.

The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution.

This vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible.

By causing the .NET framework to parse a specially-crafted WSDL file with the SOAP Moniker, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system. Current exploits achieve this by convincing a user to open a RTF document.

Solution: Apply an update. This issue is addressed in CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability

After Equifax Breach, Wealthy Consumers Present Alluring Targets For Hackers - Here’s how to protect yourself from email and medical fraud schemes.

Of the 143 million U.S. consumers whose personal information was potentially exposed in the Equifax data breach, the wealthy could face their own particular set of vulnerabilities.

Would-be criminals could use customers’ stolen names, Social Security numbers, birth dates and addresses—information exposed in the Equifax breach—to target those who may have bigger bank accounts, larger lines of credit and more assets, experts say.

A relatively easy way crooks could target the wealthy is by sorting the Equifax information by ZIP Codes that are associated with wealthy areas such as Beverly Hills, Calif., or Greenwich, Conn., some cybersecurity experts say.

“Hackers get the most bang for their buck by focusing on wealthy,” says Roderick Jones, chief executive of Rubica Inc., a cybersecurity firm that works with wealthy individuals.

Here are weaknesses wealthy Americans should watch out for:

Email Vulnerabilities

Fraudsters may use the compromised Equifax data to not only open high-limit credit cards or take out loans in victims’ names, Mr. Jones says, but also to hack into their email accounts to gather information so they can commit other crimes.

Using the details gathered from the breach, experts say hackers are likely to launch “phishing” attempts on their targets. With knowledge of a loan at a certain bank, for example, a hacker could craft an email about that loan that sounds believable and encourages the victim to either click a link that may infect their computer or sends them to a malicious website that gathers even more data that could be exploited.

Another example: After infiltrating a victim’s email and learning his or her writing style, a hacker could email that person’s financial adviser and request a wire transfer, experts say. If the adviser doesn’t have the proper security procedures in place and doesn’t at least verify a wire-transfer request with a verbal confirmation from the client, that money could end up in a fraudster’s account.

How to respond: Use different, complex passwords for each of your accounts, security experts say. Don’t use your Social Security number as any part of an online password or username. While such tips aren’t new, experts say they bear repeating because the security gaps they address are among the most frequently exploited.

Also, take caution with emails that appear to be from a legitimate financial institutions. When in doubt, call that provider directly or log on to their website from a secure connection to check your accounts, security experts say.

Medical Fraud

Equifax victims may be at particular risk for medical fraud, too, says Michael Kaiser, executive director at the National Cyber Security Alliance. That’s because they often have strong medical insurance and prescription-drug coverage.

A crook could use the information stolen in the breach to impersonate a victim and seek treatment from various doctors or specialists, potentially running up high medical bills.

Meanwhile, the opioid epidemic raises the stakes for prescription-drug fraud.

Crooks could sell the information to individuals addicted to prescription drugs, including opioids, says Eva Velasquez, president of the Identity Theft Resource Center, a nonprofit group that helps victims of identity theft.

That person would then use the stolen information to buy prescription drugs under the victim’s name using their health insurance. The victim will often get the bill for any unpaid expenses and crook’s use of the drug will be recorded into the victim’s health records, she says.

Ms. Velasquez says that once an individual provides proof of identity theft, he or she generally is no longer held responsible for debts incurred by a fraudster. In the interim, however, a victim may be held responsible and this can have an impact on credit scores.

And in cases where insurance was used fraudulently, plan caps and thresholds can be met or exceeded, making it difficult for victims to obtain necessary medical services, she says.

How to respond: If you get bills or explanation-of-benefits forms that you don’t recognize, call the billing office of the medical provider and your insurance company to challenge the charges, Mr. Kaiser says. Keep copies of any documents you receive and keep notes on your conversations.

And ask your providers about any extra layers of security they have, including two-factor authentication, personal identification numbers and biometrics such fingerprint readers, and take advantage of those features, Ms. Velasquez says.

“Yes, more security adds a layer of inconvenience, but that’s OK if it protects you in the long run,” she says.

Starting with the iPhone 6, Apple made it possible to charge it from 0 to 100% almost twice as fast. These handy tips can help you supercharge your iPhone from 0-10% in just five minutes.

TURN ON FLIGHT MODE

Switch your phone to flight mode while it’s charging and you’ll find that the power bar creeps up that little bit faster. In this mode, your phone can’t connect to Wi-Fi or mobile networks, so your battery usage will decrease and your device will power up faster. This option can be found in your phone’s settings menu, or by swiping up from the bottom of your home screen.

TURN ON LOW-POWER MODE

Activate low power mode by delving into the battery option under the settings menu and your screen’s energy consumption will decrease drastically. This mode will also shut down any background functions chewing through your power supply, meaning your phone will store more juice while plugged in.

TURN OFF PUSH NOTIFICATIONS

Push notifications are the little icons and messages which your phone displays on its lock screen whenever you get a text or an update. Switching these off while you’re plugged in will help to keep power to a minimum, preventing your phone screen from flashing up and eating power.

USE AN OPTIMUM CHARGER

The best kind of charging device for speed is an iPad wall charger, which can transfer more amps of electricity per second than any of the others. That means it's more efficient than a charger plugged into a computer, or an iPhone charger plugged into the mains. (It's worth nothing that only the iPhone 6 and newer models are capable of accepting 2.1 amps per second, which is the amount the iPhone wall charger provides).

LEAVE YOUR PHONE ALONE

And that includes turning it on to check the time. The more you turn on the phone's display, the more battery it uses up, which makes sense really.