Yahoo! has disclosed a new security breach that it says affected over 1 billion of its user accounts. The company said it has taken steps to secure user accounts and identify the source of the hack.
As part of the investigation into the previous security breach announced in September, law enforcement officials provided the company with data files that a third party claimed was Yahoo user data. Analysis of the data with outside forensic experts found that it appears to be Yahoo user data. The company believes it was stolen in August 2013, but it has not been able to pinpoint how the attackers entered its systems. Yahoo thinks the attack was distinct from the previous one disclosed, which took place in 2014.
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Yahoo said it does not appear that the stolen information included passwords in clear text, payment card data, or bank account information. Payment card and bank account information are not stored in the system the company believes was affected.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
Based on the ongoing investigation, the company also believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies. They could use these forged cookies to access user accounts without a password. The forensic experts hired by Yahoo have identified user accounts for which they believe forged cookies were taken or used, and these people will be notified. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed in September.
