Yahoo disclosed Wednesday another security incident that is twice as large as incidences the company has previously announced, affecting more than a billion users.
“We believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo CISO Bob Lord wrote in a blog post. “We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
Among the data taken were names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information.
Additionally, the company found that an “unauthorized third party accessed the company’s proprietary code to learn how to forge cookies,” which allowed account access without a password. Yahoo believes that activity was carried out by the same state-sponsored actor believed to be responsible for the breach previously disclosed this year.
The fast few months have been brutal for Yahoo. The previously disclosed breach in September found that user details from more than 500 million Yahoo accounts — including names, birth dates and encrypted passwords — were stolen nearly two years ago by state-sponsored hackers.
A few weeks later, a Reuters report found that Yahoo allowed U.S. intelligence agencies to search emails sent to its customers via a special program built in secret by company engineers
The following stories have come as Yahoo has tried to negotiate to be acquired by telecom giant Verizon for $6.4 billion. After the September breach, there were reports Verizon found “reasonable basis” to back away from the deal.
Representatives from Verizon and Yahoo were not available for comment.