Yahoo reveals new hack, this time a billion-plus users (Update 3)

December 14, 2016

This Tuesday, July 19, 2016 photo shows a Yahoo sign at the company's headquarters in Sunnyvale, Calif. On Wednesday, Dec. 14, 2016, Yahoo said it believes hackers stole data from more than one billion user accounts in August 2013. (AP Photo/Marcio Jose Sanchez)
Yahoo said Wednesday personal data from over a billion users was stolen in a hack dating back to 2013—twice as big as another breach disclosed just three months ago.

In a huge blow to the struggling internet pioneer, Yahoo said it made the discovery as it was investigating what was already the largest data breach of a single company.

"Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts," it said in a statement.

Yahoo said this case "is likely distinct from the incident the company disclosed on September 22, 2016" affecting 500 million users.

The news poses a fresh threat to Yahoo's deal to sell its core operating assets to Verizon for $4.8 billion.

In November, Yahoo disclosed that as part of its investigation into the prior breach, it had received data files from law enforcement "that a third party claimed was Yahoo user data."

Source of hack unclear

Using outside forensic experts, Yahoo now confirms that this was indeed user data but added that it "has not been able to identify the intrusion associated with this theft."

The statement added that "Yahoo has taken steps to secure user accounts and is working closely with law enforcement."

Yahoo's chief security officer Bob Lord said in a blog post that some of the intrusions were done by hackers who accessed accounts without a password by using "forged cookies," or data files which verify a device or user.

"We believe an unauthorized third party accessed our proprietary code to learn how to forge cookies," he said, adding that "we have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22."

Yahoo also said it was requiring affected users to change their passwords, and had invalidated unencrypted security questions and answers.

Yahoo said in September it believed the breach of information on 500 million users was "state sponsored" but some analysts have questioned this theory.

The stolen user account information in the newly disclosed breach may have included names, email addresses, telephone numbers, dates of birth, "hashed" passwords and, in some cases, encrypted or unencrypted security questions and answers, Yahoo said.

The hackers did not obtain passwords in clear text, payment card data, or bank account information, it said.

The latest breach discovery is a further embarrassment to a company that was one of the biggest names of the internet but which has failed to keep up with rising stars such as Google and Facebook.

Not just technology

Steve Grobman, chief technical officer at Intel Security, said the two incidents show "there were clear weaknesses in the architecture" used by Yahoo but that such hacks are not just about technology.

Large organizations holding vast amounts of user data, Grobman said, "need to rely not just on technology but use independent or internal resources to defend against attack scenarios."

Grobman said Yahoo can recover from the debacle but that "it needs to be transparent and show that it will emerge with the best security."

Patrick Moorhead, analyst at Moor Insights & Strategy, said it is possible the disclosure will kill the tie-up with Verizon.

"In the end it will be determined by how Yahoo customers react and what Verizon thinks about this," Moorhead said.

"I don't think Yahoo is worth nearly as much as it was before these two breaches because they can no longer be trusted. Yahoo can build back trust but it will take investment and focus."

Yahoo, after a series of reorganizations, decided late last year to sell its main operating business as a way to separate that from its more valuable stake in Chinese internet giant Alibaba.

Yahoo's plan would place its main operating business within Verizon, which has already acquired another faded internet star, AOL.

The remaining portion would be a holding company with stakes in Alibaba and Yahoo Japan.

Verizon said in a statement late Wednesday that it would await further news of the investigation before making any decision.

"As we've said all along, we will evaluate the situation as Yahoo continues its investigation," the statement said.

"We will review the impact of this new development before reaching any final conclusions."

Verizon had said the prior breach was likely "material," meaning it could allow the telecom giant to scrap the deal or lower its offer.

Yahoo's valuation hit $125 billion during the dot-com boom, but it has been losing ground since then despite several efforts to reboot.

In the mid-1990s, Yahoo was among the most popular destinations on the internet, helping many people navigate the emerging web.

It became the top online "portal," connecting users to news, music and other content. But its fortunes started to fade when Google began to dominate with its powerful search engine.

Explore further: Yahoo reveals more details about massive hack

Related Stories

Yahoo reveals more details about massive hack

November 10, 2016

Yahoo provided more details on Wednesday about an epic hack of its services, including that the culprits may have planted software "cookies" for ongoing access to users' accounts.

Yahoo pressed to explain huge 'state sponsored' hack

September 23, 2016

Yahoo faced pressure Friday to explain how it sustained a massive cyber-attack—one of the biggest ever, and allegedly state-sponsored—allowing hackers to steal data from half a billion users two years ago.

Verizon says Yahoo data breach had a 'material' impact

October 13, 2016

Verizon's top lawyer says it now has reason to believe Yahoo's recently disclosed data breach has a "material" impact on Verizon's pending $4.8 billion acquisition of Yahoo. That leaves open the possibility that Verizon could ...

Recommended for you

Archaeologists discover Incan tomb in Peru

February 16, 2019

Peruvian archaeologists discovered an Incan tomb in the north of the country where an elite member of the pre-Columbian empire was buried, one of the investigators announced Friday.

What rising seas mean for local economies

February 15, 2019

Impacts from climate change are not always easy to see. But for many local businesses in coastal communities across the United States, the evidence is right outside their doors—or in their parking lots.

Where is the universe hiding its missing mass?

February 15, 2019

Astronomers have spent decades looking for something that sounds like it would be hard to miss: about a third of the "normal" matter in the Universe. New results from NASA's Chandra X-ray Observatory may have helped them ...

The friendly extortioner takes it all

February 15, 2019

Cooperating with other people makes many things easier. However, competition is also a characteristic aspect of our society. In their struggle for contracts and positions, people have to be more successful than their competitors ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

conprehensible
not rated yet Dec 14, 2016
You don't catch google or microsoft admitting similar hacks, it's a question of poor management. I wrote an email in yahoo of 50 lines, it crashed after 25 lines and i reverted to a draft. in my typing int crashed again after 50 lines, and this time the draft saved version was blank. poor management.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.