If you thought the hack of 500 million accounts was bad, Yahoo has set a new record: one billion account breaches.
Yahoo has confirmed an August 2013 incident in which the data associated with more than one billion user accounts was stolen.
“We have not been able to identify the intrusion associated with this theft,” Yahoo chief information security officer Bob Lord said in a blog post, adding that this breach is “likely distinct from the incident we disclosed on Sept. 22.”
The incident already disclosed, as Lord says, occurred in late 2014, hitting more than 500 million accounts. Yahoo blamed that breach on state sponsored hackers.
Like the hack previously announced, the the stolen user account information from the newly announced 2013 breach may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
Passwords in clear text, payment card data and bank account information were not taken. Yahoo said payment card data and bank account information are stored on a system separate from the one that the company believes was affected.
“We previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” Lord wrote. “Based on the ongoing investigation, we believe an unauthorized third-party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.”
Lord said some of this activity has been linked to the same state-sponsored actor believed to be responsible for the data theft in 2014.
News of the second breach is unlikely to sit well with Verizon, which agreed this summer to acquire Yahoo’s Internet business for $4.83 billion in cash. It is not known if Yahoo’s ongoing security issues will impact the deal. If the deal closes on schedule, it will be in the first quarter of 2017.
Yahoo is still investigating the matter and is in the process of notifying potentially affected users. The company is asking affected users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers to prevent them from being used to access an account. Lord said Yahoo has “invalidated the forged cookies and hardened our systems to secure them against similar attacks.”
Yahoo also released these security recommendations:
- Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
- Consider using a Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.
Check out Yahoo’s FAQ here.