Yahoo has disclosed that — in addition to its September hacking incident — another “unauthorized third party” has obtained data from more than 1 billion user accounts. The company states that the information stolen may include names, email addresses, telephone numbers, dates of birth, hashed passwords, and — “in some cases” — encrypted or unencrypted security questions and answers.
The intrusion occurred in August 2013 as a result of cookies forged by hackers who had obtained Yahoo’s proprietary code.
However, the company was quick to say that its investigation suggests that no passwords in clear text, payment card data, or bank account information were taken. “Payment card data and bank account information are not stored in the system the company believes was affected,” wrote Yahoo’s chief information security officer, Bob Lord.
Those that Yahoo believes are impacted by this are being notified and will be required to further secure accounts and change their passwords. Lord went on to say that all unencrypted security questions and answers are rendered invalid, as in all cases with forged cookies. If you believe your information has been compromised, Yahoo instructs you to review your account for any suspicious activity, take extra care who you communicate with, and stay alert for any phishing scams — that is, don’t click on any links or download attachments from emails you aren’t familiar with.
In September, the company claimed that “state-sponsored” hackers stole data from 500 million users, an action that touched off a flurry of investigations as Yahoo continued to pursue its acquisition by Verizon. Today’s revelations bear some of the same markings of the hackers who are to blame for the September attack.
Verizon, which agreed to acquire Yahoo: "As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation."
— CNBC Now (@CNBCnow) December 14, 2016
How this impacts Yahoo’s deal with Verizon remains to be seen, but if there was some hesitation before, when 500 million user accounts were compromised, then news of 1 billion compromised accounts will likely cause executives to pause before proceeding further. A Verizon spokesperson reportedly told CNBC that the telecommunication company will “evaluate the situation as Yahoo continues its investigation.” Yahoo remains optimistic, and a spokesperson told VentureBeat: “We are confident in Yahoo’s value and we continue to work toward integration with Verizon.”
Verizon, as you may know, has agreed to pay out $4.83 billion for the long-struggling, but iconic, technology and search provider. Following the September disclosure, Verizon executive vice president Marni Walden played up the advantage of bringing Yahoo into the fold, saying that the combined entities will create a powerful online advertising provider to rival Facebook and Google. She did temper that response by saying that she has “an obligation to make sure that we protect our shareholders and our investors, so we’re not going to jump off a cliff blindly.”
So 500 million in 2014 and 1 billion in 2013. Do we really want to know what else may have happened before?
“Espionage has gone digital, like so many other things in our world. We’re increasingly seeing data being used as a weapon, where leaked or fabricated information is being used to intentionally damage individuals and governments. While cybercriminals are motivated by financial incentives, state actors are motivated by political and strategic incentives. The nation-state benefits of such a large breach are as real as the obvious financial ones for cybercriminals. A nation state’s intelligence services could find and access the messages of individuals with political, government, military, and even corporate public profiles. If true, this breach provides a billion opportunities to do this,” said Intel Security chief technology officer Steve Grobman.
Yahoo said that it’s working with law enforcement on this matter.
Yahoo’s stock was down for the day 1.35 percent, and in after-hours trading has tumbled another 2.35 percent.
Updated as of 3:45 p.m. Pacific on Wednesday: Included statement from Intel Security.