Yahoo, still reeling from a hack that impacted more than 500 million accounts earlier this year, on Wednesday revealed another one billion accounts were compromised in a separate attack dating back to 2013.
The recently disclosed data breach appears to have leaked data similar to information obtained in a separate hack revealed in September, judging by information released in a Yahoo statement.
According to the company, the latest intrusion revealed user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Yahoo does not believe password information was disclosed in clear text, nor did payment card data or bank account information leak as part of the breach.
By comparison, Yahoo's 2014 hack, which involved some 500 million accounts, reportedly revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions. At the time, the company blamed the attack on a state-sponsored actor.
While the attack is distinct from the breach disclosed in September, Yahoo is blaming at least part of the activity on the same state-sponsored agent or agents.
Thought to have been carried out in 2013, the attack was only recently uncovered by Yahoo's security team. In November, law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts. Analysis of the data narrowed down a probable attack window to August 2013.
"We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016," the company said in an email sent out to affected users.
Detailing how hackers managed to break in to more than one billion accounts, Yahoo CISO Bob Lord said his team believes an unauthorized third party likely accessed Yahoo's code in 2013 and discovered a way to forge cookies. Armed with a cookie creation tool, intruders would be able to access accounts without a password.
Yahoo is in the process of notifying users it believes was impacted by the breach and is requiring those affected to change their passwords. The company also invalidated unencrypted security questions and answers in a bid to stave off follow-up attacks.
32 Comments
News / media outlets per Yahoo! advising users change passcodes/words 'immediately'. :|
This happened in 2013.
Wunderbar......
Yahoo: "Hi Mr. Smith, its Yahoo. Just wanted to tell you 3 years ago all your personal information and passwords were stolen. If you need anything, don't hesitate to contact us."
Such a POS company. I don't use my Yahoo! account anymore, but the password structure I used there was somewhat similar to other, more important sites. Now I have to change everything. Ugh.
We, as a country, are screwed. We care zero about, and as a result, invest very little in security and privacy. It's biting us in our digital butts in every which way, including our elections (it's the Dems today, but I guarantee it'll be the Repubs tomorrow). The Russians, Chinese, and the (third-rate) N Koreans cause much of this mayhem, and just point and laugh at us. It shocks and surprises me that we don't have the balls to take out their digital infrastructures (I am sure we have the means).
Hopefully, Trump will be a little different. We'll see.