A massive 2013 breach affecting 1 billion user accounts, followed by a hack revealing data on 500 million, has been revealed by Yahoo. It might jeopardize a $4.8 billion deal with Verizon. (AP Photo/Marcio Jose Sanchez, File)
Yahoo just admitted to another astonishingly big breach, surpassing its previous ignominious record where data on 500 million accounts was stolen, revealing a whopping 1 billion hit in 2013.
The two breaches were entirely separate, the bigger of the two in August 2013, the other a year later, Yahoo confirmed in a Tumblr post today. The data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” explained chief information security officer Bob Lord. No plaintext passwords were leaked, nor were payment card data or bank account information.
Yahoo has not been able to determine just how all that data went missing. It only learned of the leak thanks to a law enforcement disclosure, confirmed in November.
Separately, in another worrying development, Yahoo confirmed hackers were able to steal its “proprietary code” on how to forge cookies, which “could allow an intruder to access users’ accounts without a password.” Affected account holders are now being warned.
Lord said some of that activity was linked to the same state-sponsored actor believed to be responsible for the 2014 theft of 500 million accounts. No specific country has been blamed for those attacks, and there was no indication a foreign government had sponsored the 1 billion breach.
“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account,” Lord added. “With respect to the cookie forging activity, we invalidated the forged cookies and hardened our systems to secure them against similar attacks.”
FORBES has asked Yahoo why it couldn’t determine how the 2013 hackers stole such an incredible amount of data without leaving a trace, and if it knew what nation state was behind the 2014 attack. It had not responded at the time of publication.
Verizon deal in danger?
Questions will again be asked of Yahoo’s $4.8 billion sale to Verizon. Just a month ago, in an SEC filing, Yahoo admitted that as a result of the 2014 security incident, Verizon “may seek to terminate the stock purchase agreement or renegotiate the terms of the sale transaction on that basis.”
FORBES asked Verizon about the impact of today’s revelation on the acquisition. It had not responded at the time of publication.
With a possible 1.5 billion accounts leaked, Verizon execs are looking at acquiring a company with a severely damaged reputation, one that had already been tarnished by declining profits and customers before and after current CEO Marissa Mayer took control in 2012. The stock was, at the time of publication, falling, down 2.6 per cent since the morning.