Nearly three months after revealing that hackers in 2014 stole account information for at least 500 million users, Yahoo yesterday reported that an even larger breach affecting more than one billion accounts took place in 2013.
This latest hack by an unnamed and "unauthorized third party" was discovered while forensic experts were helping Yahoo analyze data that was provided to Yahoo by law enforcement authorities in November, according to the company. Yahoo said the 2013 attack is "likely distinct" from the 2014 breach the company reported in September.
Yahoo said it is notifying people potentially affected by the newly disclosed breach and requiring them to change their passwords. The company added that it also recently discovered that some of the accounts breached in 2013 could be accessed without passwords through the use of forged cookies, and has invalidated those forged cookies.
Believed to be the largest online security breach to date, the 2013 attack on Yahoo is likely to raise new questions for Verizon, currently set to close on its $4.83 billion purchase of Yahoo properties early next year. Verizon was reportedly notified of the 2013 hack "in the past few weeks," and is said to be keeping all of its options open regarding the Yahoo deal, according to The Wall Street Journal.
Citing a person familiar with the matter, Bloomberg today reported that "Verizon Communications Inc. is exploring a price cut or possible exit from its $4.83 billion pending acquisition of Yahoo! Inc., after the company reported a second major e-mail hack affecting as many as 1 billion users."
Payment, Bank Data 'Not Affected'
Yahoo's chief information security officer Bob Lord announced the discovery of the 2013 hack in a post yesterday on the company's Tumblr blog. He said the breach could have revealed users' names, email addresses, telephone numbers, dates of birth and hashed passwords.
In some cases, account holders' encrypted and unencrypted security questions and answers could also have been stolen. "Payment card data and bank account information are not stored in the system the company believes was affected," Lord added.
In the separate discovery of the use of forged cookies, Lord said Yahoo has "connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."
Beyond continuing to work with law enforcement officials, Yahoo is recommending that users take a number of security precautions. These include changing passwords as well as the security questions and answers for any accounts using the same security information as their Yahoo accounts, watching for suspicious online activity and avoiding links and attachments in suspicious emails.
'More than 150K Government Employees' Affected
"It's horrendous news for Yahoo, which is trying to sell itself to Verizon," computer security analyst Graham Cluely wrote today on his blog. "But it's even worse for the innocent users and companies whose information has been exposed as a result of this hack."
The latest user data stolen from Yahoo is believed to include account information from "more than 150,000 U.S. government and military employees," according to a report by Bloomberg yesterday evening. "It's a leak that could allow foreign intelligence services to identify employees and hack their personal and work accounts, posing a threat to national security. These employees had given their official government accounts to Yahoo in case they were ever locked out of their e-mail."
The discovery that numerous government employees might be affected by this latest hack on Yahoo was credited to Andrew Komarov, chief intelligence officer with the cybersecurity firm InfoArmor. Komarov discovered a database of stolen data from Yahoo users in August and notified law enforcement authorities, which then reported the discovery to Yahoo.