Less than three months after Yahoo disclosed it had suffered a devastating hack in 2014 that exposed the information of 500 million users, the company on Thursday admitted yet another, far larger breach.
The tech giant said in a press release that in August 2013, “an unauthorized third party” stole data associated with more than 1 billion accounts. The revelation of this second hack came upon “further analysis” of data that law enforcement provided Yahoo in November.
“For potentially affected accounts, the stolen user-account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo’s release stated. “The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information.”
A request for further comment from Yahoo was not immediately returned. A source familiar with the situation but not authorized to discuss it in-depth said there was overlap between the accounts affected by the 2013 and 2014 hacks but could not specify how many accounts were affected by both incidents.
Separately, Yahoo said that outside forensic experts have found that an unauthorized third party created “forged cookies” — cookies are used by websites to keep track of users — in order to access user accounts without a password. The company added that it has connected some of the forged cookies, which were “taken or used in 2015 and 2016,” to the “state-sponsored actor” behind the 2014 hack.
In a filing last month, Yahoo said its September disclosure of a giant data breach could imperil its pending $4.8 billion sale to Verizon. Earlier reporting said that Verizon wanted a $1 billion discount on the sale because of the hack, and Democrats in the U.S. Senate signed a letter condemning Yahoo for an “unacceptable” delay in notifying users about it.
In a statement emailed to VICE News, a Verizon spokesperson said, “We will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”