Earlier this year, Yahoo disclosed a 500 million user breach dating back to 2014, discovered after investigating a 200 million user breach from 2012. Unfortunately, now they have found another on - and it’s even larger.

More than one billion Yahoo users were compromised back in 2013, the company has discovered, with the data stolen thought to include “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” Card and bank account information “are not stored in the system the company believes was affected.”

Yahoo also provided further information on the 500 million user breach, with hackers thought to have been able to access accounts without passwords.

The Yahoo billboard
The Yahoo billboard – Scott Schiller


“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data,” Bob Lord, Yahoo’s CISO, said in a blog post.

“We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.” 

The 500 million user hack was thought to have come from a state-sponsored actor, with US intelligence officials pointing the finger at Russia, but Lord said that the company believes “this incident is likely distinct from the incident we disclosed on September 22, 2016.”

Yahoo “have not been able to identify the intrusion associated with this theft.”

And more

“Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” Lord continued.

“Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.

“We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”

Even if you have not been notified, it is recommended that you change your Yahoo password, and that of any other account that may use the same one (not that you should be reusing passwords).

Acquirer’s remorse

This news comes while Yahoo, once an Internet giant worth $125 billion, is in the midst of being acquired by Verizon for what was a $4.8bn (£3.7bn) offer in July.

When the 500 million user breach was announced - at the time the largest publicly disclosed cyber-breach in history - Verizon said that it was “evaluating its interests” regarding Yahoo. 

Now, with this latest breach, it has used virtually identical language: “We will evaluate the situation as Yahoo continues its investigation,” Verizon said in a statement. “We will review the impact of this new development before reaching any final conclusions.”

A source told The Wall Street Journal that Verizon learned of this breach in the past few weeks, and that it still has all options on the table - including renegotiating the deal’s price or walking away.