More than 1 billion Yahoo accounts may have been exposed after a third-party hacker hit the internet company in a separate attack from the one that was revealed in September.
“Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” the company said in a statement. “The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.”
That hack, which affected 500 million accounts, was among the biggest breaches of all time. At 1 billion this time, Yahoo may have earned a dubious new honor.
The data stolen from the newly revealed breach includes names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some instances, encrypted or unencrypted security questions and answers.
“The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected,” the Yahoo statement said.
Authorities handed over data files from a third party that were purported to include Yahoo data, according to the company’s chief information security officer, Bob Lord.
“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” Lord wrote.
Through forensic analysis, Yahoo was then able to determine that a breach occurred in August 2013.
It’s “very rare” to learn about two mega-breaches in such a short window of time, Jeremiah Grossman, chief of security at the cybersecurity company SentinelOne and a former Yahoo employee, told NBC News.
“It’s really few and far between,” he said. “Having multiple distinct breaches doesn’t sound good.”
Yahoo will notify potentially affected users and require them to change their passwords.
Because security questions and answers were stolen, Yahoo has nullified any unencrypted questions and answers, Lord wrote.
The latest disclosure comes after a tumultuous year for Yahoo.
It was announced in July that Verizon had reached an agreement to buy Yahoo for $4.83 billion. The deal is still in process, and it remains unclear how the latest revelation could affect the sale.
In a November SEC filing, Yahoo warned Verizon could still pull out of the deal.
“There is no assurance” the merger will be “consummated in a timely manner or at all,” the filing said.
It’s also possible Verizon could renegotiate, buying Yahoo for a lesser price.
“Breaches or security concerns have never materially impacted an acquisition but this one could be different,” Grossman said.
In addition to possibly scuppering one of the year’s biggest deals, Yahoo’s September mega-breach has led to a plethora of federal, legal, state and local investigations, along with dozens of class-action lawsuits from consumers. There’s no telling what could come after this latest disclosure.