Data on one billion Yahoo users was likely stolen by an unauthorized third party in a data breach that occurred in August 2013, the company said in a Wednesday press release that also noted the breach is “likely distinct” from a breach previously disclosed in September.
The information included were birth dates, names, hashed passwords, email addresses, telephone numbers and, at least in some cases, security questions and answers, some of which were encrypted. Yahoo said there is no indication that passwords in clear text, payment card data or bank account information were among data stolen in the 2013 breach. That information is not stored on the system that Yahoo believes the intruder penetrated.
Law enforcement contacted the tech giant in November with data files that a third party purported to contain information on Yahoo users. With the help of forensics experts the company confirmed the data seemed to be legitimate although it has yet to uncover an intrusion in which the information was purloined.
“This is absolutely shocking that Yahoo has again just been informed by external parties via law enforcement that they have been the victim of the largest data breach in history," Joseph Carson, Head of Global Strategic Alliances at Thycotic, told SC Media. "More than one billion user accounts have been disclosed and impacted by this breach, meaning that almost one in three people using the internet have been impacted by this single breach alone."
The second breach "brings the total number of stolen credentials and passwords this year to more than 3 billion which almost equals the number of people actually using the internet," said Carson. "That is astonishing."
The company said it was securing the affected accounts by taking measures such as requiring uses to change passwords. The company also invalidated the unencrypted security questions and answers on those accounts affected.
Yahoo also said that results from an ongoing investigation into the creation of forged cookies seems to indicate that a cyberprowler gained access to its proprietary code with the intention of learning how to forge cookies. Investigators have flagged user accounts where forged cookies may have been taken or used and discovered links to a state-sponsored actor likely responsible for the data theft in an earlier breach the company reported in September.
"It appears thus far from the publicly disclosed information that this is resulting from privileged unauthorized third party access. This has been a common source of many of the data breaches this year," Carson said.
The company, which is slated to be acquired by Verizon, is notifying users and has set up a Yahoo Security Issues FAQs page. "Yahoo has stated that they are notifying account holders impacted by this breach which means they are informing, get this, nearly one out of every seven people on this planet," said Carson, who expects the breach to "likely impact the proposed agreement between the two companies.
"The value will likely decrease to cover the potential costs of this breach which could be the biggest financial impact from any cyber breach to date," he said. "This breach is one to surely watch and will likely cause many issues for Yahoo in the EU with the European Commission and the Data protections regulations who will be looking for answers from Yahoo for both of the major breaches this year."