Hackers stole data from more than one billion user accounts: Yahoo
Yahoo says it has identified a new system breach, where hackers are believed to have stolen data from more than one billion user accounts in August 2013, making it the largest breach in history.
The company believes the breach is separate from the one it reported less than three months ago, when 500 million accounts were compromised in 2014, a cyber breach believed to be the world's largest-known at the time.
Yahoo said the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
The company said it didn't know who was behind its newly-discovered breach.
* Password breach could have ripple effects
* Yahoo nightmare continues for Spark customers
* NZ privacy commissioner weighs in on Yahoo hack
* Ask the expert: Avoiding a Yahoo-style cyber attack
"We have not been able to identify the intrusion associated with this theft," wrote Bob Lord, Yahoo's chief information security officer, in a public post announcing the latest breach.
An important message for Yahoo users about the security of their account: https://t.co/iHub7C7aI7— Yahoo Inc. (@YahooInc) December 14, 2016
"Payment card data and bank account information are not stored in the system the company believes was affected," he said.
The company is requiring customers who were affected to change their passwords.
Lord also referred to an existing probe on the creation of forged cookies, which could allow an intruder to access users' accounts without a password.
"Based on the ongoing investigation, we believe an unauthorised third party accessed our proprietary code to learn how to forge cookies.
"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies.
"We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016," said Lord.
SPARK NZ COMMENTS ON YAHOO BREACH
Spark said in a statement it was working with Yahoo to determine if any Xtra email accounts had been hacked.
"The historic data stolen is believed to be username and password combinations, so customers who have changed their password since August 2013 are not likely to be vulnerable," Spark spokeswoman Michelle Baguley said.
"Secret questions and answers for New Zealand customers are not stored by Yahoo."
Spark is in the process of moving all its email systems from Yahoo back to New Zealand.
"If customers have already given us permission to have their email moved home, and changed their password as part of the permission process they won't need to do it again," said Baguley.
People with Xtra email accounts who have not changed their password since 2013 should change it now on the Spark website.
LATEST ATTACK PUTS VERIZON'S ACQUISITION IN DOUBT
Yahoo, which is being acquired by Verizon, said it was working closely with law enforcement to investigate the hack.
The new security scandal raises fresh questions about Verizon's US$4.8 billion proposed acquisition of Yahoo, and whether the big mobile carrier will seek to modify or abandon its bid.
If the hacks cause a user backlash against Yahoo, the company's services will not be as valuable to Verizon, which wants Yahoo and its many users to help it build a digital ad business.
In a statement, Verizon said it will evaluate the situation and will review the "new development before reaching any final conclusions".
Cryptologist and world-renowned security expert Bruce Schneier slammed the latest revelations by Yahoo.
"Yahoo badly screwed up," he said, after the internet company's latest disclosure.
"They weren't taking security seriously and that's now very clear. I would have trouble trusting Yahoo going forward."
Another security analyst said future breaches on Yahoo accounts were inevitable.
"The fact that we now have two breaches implies that Yahoo security measures were inadequate. So it is more likely there will be future breaches uncovered," said Laura Martin, senior analyst entertainment and Internet at Needham Equity Research.
Regarding its Verizon deal, Yahoo said in a statement: "We are confident in Yahoo's value and we continue to work towards integration with Verizon."