Yahoo has disclosed that in addition to its September hacking incident, another “unauthorized third-party” obtained data from more than 1 billion user accounts. The company claims that the information stolen may include names, email addresses, telephone numbers, dates of birth, hashed passwords, and “in some cases” encrypted or unencrypted security questions and answers.
The intrusion occurred in August 2013 and occurred as a result of forged cookies by hackers who had obtained Yahoo’s proprietary code.
However, it was quick to say that its investigation suggest that no passwords in clear text, payment card data, or bank account information was taken. “Payment card data and bank account information are not stored in the system the company believes was affected,” wrote Yahoo’s chief information security officer Bob Lord.
All those that Yahoo believes are impacted by this are being notified and will be required to further secure accounts and change their passwords. Lord continued to say that all unencrypted security questions and answers are rendered invalid, as with all forged cookies. If you believe your information has been compromised, Yahoo instructs you to review your account for any suspicious activity, take extra care in who you communicate with, and don’t fall for any phishing scams — don’t click on any links or download attachments from emails you aren’t familiar with.
In September, the company claimed that “state-sponsored” hackers stole data from 500 million users, an action that touched off a flurry of investigations as Yahoo continued to pursue its acquisition by Verizon. Today’s revelations bear some of the same markings of those same hackers who are to blame for the September attack.
Verizon, which agreed to acquire Yahoo: "As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation."
— CNBC Now (@CNBCnow) December 14, 2016
How this impacts Yahoo’s dealings with Verizon remains to be seen, but if there was some hesitation before when 500 million user accounts were compromised, then news of 1 billion accounts will likely cause executives to pause before proceeding further. A Verizon spokesperson reportedly told CNBC that the telecommunication company will “evaluate the situation as Yahoo continues its investigation.” Yahoo also remains optimistic with a spokesperson telling VentureBeat: “We are confident in Yahoo’s value and we continue to work towards integration with Verizon.”
Verizon, as you may know, has agreed to pay out $ 4.83 billion for the long-struggling, but iconic, technology and search provider. Following the September disclosure, Verizon executive vice president Marni Walden played up the advantage of bringing Yahoo into the fold, saying that the combined entities will create a powerful online advertising provider to rival Facebook and Google. She did temper that response by saying that she has “an obligation to make sure that we protect our shareholders and our investors, so we’re not going to jump off a cliff blindly.”
So 1 billion in 2013 and 500 million in 2014. Do we really want to know what else may have happened before?
“Espionage has gone digital like so many other things our world. We’re increasingly seeing data being used as a weapon, where leaked or fabricated information is being used to intentionally damage individuals and governments. While cybercriminals are motivated by financial incentives, state-actors are motivated by political and strategic incentives. The nation-state benefits of such a large breach are as real as the obvious financial ones for cybercriminals. A nation state’s intelligence services could find and access the messages of individuals with political, government, military, and even corporate public profiles. If true, this breach provides a billion opportunities to do this,” said Intel Security’s chief technology officer Steve Grobman.
Yahoo said that it’s working with law enforcement on this matter.
If you’re interested, Yahoo’s stock was down for the day 1.35 percent and in after-hours trading has tumbled another 2.35 percent.
Updated as of 3:45 p.m. Pacific on Wednesday: Included statement from Intel Security.