Less than three months after Yahoo disclosed that it suffered a devastating hack in 2014 that exposed the information of 500 million users, the company today admitted yet another, far larger breach.
Yahoo said in a press release that in August 2013, “an unauthorized third party” stole data associated with more than one billion accounts. The revelation of this second hack came upon “further analysis” of data that law enforcement provided Yahoo in November.
“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo’s release stated. “The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information.”
A request for further comment from Yahoo was not immediately returned. A source familiar with the situation not authorized to discuss it said there was overlap between the accounts affected by the 2013 and 2014 hacks but could not specify how many accounts were affected by both incidents.
Separately, Yahoo said that outside forensic experts have found that an unauthorized third party created “forged cookies” — cookies are used by web sites to keep track of users — in order to access user accounts without a password. The company added that it has connected some of the forged cookies, which were “taken or used in 2015 and 2016,” to the “state-sponsored actor” behind the 2014 hack.
In a filing last month, Yahoo said that its September disclosure of a giant data breach could imperil its pending $4.8 billion sale to Verizon. Earlier reporting said that Verizon wanted a $1 billion discount on the sale because of the hack, and Democrats in the U.S. Senate signed a letter condemning Yahoo for an “unacceptable” delay in notifying users about it.
In a statement emailed to VICE News, a Verizon spokesperson said that “we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”