Yahoo says hackers stole information from more than 1 billion accounts
Reporting from New York — Yahoo said Wednesday that hackers stole data that could be connected to more than 1 billion accounts — believed to be the most users affected in a single breach.
The Sunnyvale, Calif., tech firm said the breach probably occurred in August 2013 and is not linked to a hack disclosed in September that affected some 500 million user accounts.
Chief information and security officer Bob Lord wrote on the Yahoo blog that the company became aware of the breach in November when law enforcement officials provided the company with files that a third-party claimed contained Yahoo user data.
“We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” Lord said. “Based on further analysis of this data … we believe an unauthorized third party … stole data associated with more than one billion accounts.”
Lord said the company had not yet identified the party responsible for the theft.
User data that may have been stolen includes names, email addresses, telephone numbers, dates of birth and encrypted and unencrypted security questions and answers, among other details. The investigation so far suggests hackers did not obtain credit card or bank account information.
“We’ve taken steps to secure user accounts, and we are working closely with law enforcement,” Yahoo said in a prepared statement.
The company has reached out to users it believes were affected by the breach and is urging them to change their passwords.
Given that the breach occurred three years ago, resetting users’ passwords might be too little too late, according to security experts.
“The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo,” said Shuman Ghosemajumder, chief technology officer of Shape Security, who used to head Google’s trust and safety product teams. “Until users change their passwords [on other sites], those accounts may continue to be accessible to cybercriminals.”
The latest breach is yet another setback for the tech firm, whose sale to Verizon was already on shaky ground earlier this year when it disclosed the previous breach affecting 500 million user accounts -- itself the largest in the history of data breaches. That breach occurred in 2014 and went undetected by the tech firm for nearly two years.
This latest hack, which might affect twice the number of accounts, would take the cake, though.
“This is a massive issue,” said Jo Webber, chief executive of security firm Spirion. “Most companies that don’t have the resources of Yahoo will find a breach in less than a year. Why did it take Yahoo three years?”
Verizon had agreed to pay $4.83 billion to buy Yahoo’s core business in July, and was made aware of the 2014 data breach only after the deal had been signed. The company said at the time that it had reason to believe the breach had “material impact” on the deal.
On Wednesday, Verizon said it “will evaluate the situation as Yahoo continues its investigation [and] we will review the impact of this new development before reaching any final conclusions.”
Security experts said they’d be surprised if the Verizon deal went through unscathed, though, because the scale of the breaches could be an enormous liability to any company that acquires Yahoo. The Internet company is already the subject of class-action lawsuits resulting from the breach it announced in September.
If any of the user accounts were in Europe, the company could be subject to tough European penalties, too, Webber said.
And while Verizon mulls over how to proceed with its Yahoo purchase, security experts such as George Avetisov, CEO of biometrics security firm HYPR, suggest Internet users consider their next steps as well.
“The only solution is to think back: as a Yahoo user, did you ever use your password anywhere else? Avetisov said. “It would be prudent to change everything.
UPDATES:
4:30 p.m.: This article was updated with additional quotes from security industry experts.
2:55 p.m.: This article was updated with staff reporting adding context and detail about this breach and past Yahoo hacks.
This article was originally published at 2:20 p.m.