Yahoo confirmed that it has discovered a breach of more than one billion user accounts dating back to August 2013. The internet giant is already reeling from a separate and distinct hack in 2014 affecting 500 million users which it disclosed on September.
Yahoo said in a statement that an “unauthorized third party accessed the company’s proprietary code to learn how to forge cookies” that enabled hackers to collect information such as usernames, email addresses, telephone numbers, birth dates, passwords, and security questions and answers.
“The investigation indicates that the stolen information did not include passwords in clear text, payment card data or bank account information,” Yahoo assures. “Payment card data and bank account information are not stored in the system the company believes were affected.”
Yahoo blamed the 2014 attack on a hacker affiliated with an unidentified foreign government. As for the newly disclosed hack, “the company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
Yahoo reveals another breach, in which hackers “stole data associated with more than one billion user accounts.” pic.twitter.com/CfSDn7RY8F
— Hayley Tsukayama (@htsuka) December 14, 2016
Critics are now questioning Yahoo’s transparency to its users. The Sunnyvale, a California-based company had known about the account breach for almost two years now but kept the information even to its investors. It disclosed the data theft only on Wednesday.
Another cause of serious concern is the magnitude of affected user accounts – one billion – representing most of Yahoo’s customers worldwide. Most hacks are motivated by identity theft, but the consequences of personal data breaches are worse for financial institutions and other companies with databases full of users’ financial data.
As a counter-measure, Yahoo urges users to change their passwords and invalidate the security questions, measures it did not require during the 2014 breach. Other security measures are not using the same passwords across multiple online accounts and combining a password with a phone-based authentication service.