This story is over 5 years old.


Yahoo: Did We Say 500 Million? Actually It Was 1 Billion Pwned

The bad news about Yahoo’s security keep on coming in 2016.
Image: Claudio Divizia/Shuttestock

2016 is definitely not the year of Yahoo. After admitting in September that hackers had stolen at least 500 million users passwords and personal data, the company now says they found evidence of what might be a separate attack affecting 1 billion victims.

"We believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft," Yahoo's head of security Bob Lord wrote in a blog post.


Read more: Inside the Hack that Blew Up Myspace

Lord explained that the hackers maybe have stolen "names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers." Moreover, Lord also said that the hackers also stole Yahoo's secret code to forge user cookies to access accounts without a password.

A company spokesperson did not respond to an email requesting further information about the incident.

In August, Motherboard reported that a cybercriminal was selling what he claimed was a data trove containing 200 million Yahoo user credentials on the dark web. At this point, it's unclear if this alleged sale is in any way connected with these other incidents.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.