Yahoo has suffered yet another massive data breach, this time with an unauthorized third party gaining access to information related to more than one billion user accounts in August 2013.
According to a statement released by the company following the confirmation, data associated with more than one billion user accounts was stolen in the intrusion associated with this theft, but they believe that this incident is likely distinct from the incident the company disclosed on September 22, 2016.
"Following a recent investigation", the statement from Yahoo's Chief Information Security Officer Bob Lord goes on to say, "we’ve identified data security issues concerning certain user accounts. We’ve taken steps to secure those user accounts and we’re working closely with law enforcement."
The compromised data user data may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.
Yahoo's investigation did indicate that the stolen information did not include payment card data, or bank account information.
As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. Bob Lord, Yahoo Chief Information Security Officer
The data may have been stolen through the use of forged cookies, which could allow an intruder to access users’ accounts without a password. To do this, the intruders accessed Yahoo's proprietary code to learn how to forge cookies.
After identifying the accounts that were used to create these forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies.
The attack may have been connected to a 'state-sponsored actor', who the company believes to be responsible for a previous data theft that was disclosed on September 22, 2016.
Potentially affected users have been notified and asked to change their passwords. Unencrypted security questions have also been made invalid, so that they cannot be used to access an account.
With respect to the cookie forging activity, we invalidated the forged cookies and hardened our systems to secure them against similar attacks. We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.
If you believe your account may have been compromised, Yahoo recommends that you take the following steps:
- Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
- Review all of your accounts for suspicious activity;
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
- Avoid clicking on links or downloading attachments from suspicious emails; and
- Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.