New Hack Record? Yahoo Says “More Than 1 Billion” User Accounts Breached in New Attack


Yahoo has suffered another hack as the company disclosed today that "an unauthorized party" breached more than 1 billion Yahoo user accounts in August 2013. The incident is believed to be separate from the 500 million user breach that Yahoo reported earlier in September this year.

Yahoo announces theft of a billion accounts

"We believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts," Yahoo said in a statement Wednesday evening. "We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016." The company believes the two hacks are connected as the company linked "some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."

Yahoo said the stolen user account information "may have included" user names, their email addresses, telephone numbers, dates of birth, hashed passwords (MD5), and, in some cases, encrypted or unencrypted security questions and answers. The law enforcement alerted Yahoo to the massive breach and the company has examined the data with the help of outside forensic experts. While the data doesn't include payment details or plaintext passwords, it's still a bad news for account holders as MD5 is no longer considered a secure hashing algorithm.

Yahoo added in today's brief that hackers also stole Yahoo’s proprietary code, using which they were able to build "forged cookies." These forged cookies could be used to access accounts without a password. Cookies are pieces of code that stay in a user's browser helping them to access Yahoo account without entering login details with every visit.

"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies," Yahoo's chief information security officer Bob Lord said.

The new breach raises more questions about Verizon's $4.8b proposed acquisition of Yahoo. Following September's disclosure of Yahoo hacks, the US mobile carrier was reported to consider asking for a $1 billion discount. It's unclear whether Verizon will abandon its bid or change the terms as more and more security concerns have appeared following the deal in July.

"As we've said all along, we will evaluate the situation as Yahoo continues its investigation," a Verizon spokesperson said today. "We will review the impact of this new development before reaching any final conclusions."

Yahoo is notifying all the affected users and asking them to change their passwords. The company added in its statement today that users should change their passwords and security questions.

For more information: official announcement

- Thanks for the heads up, Jesse.