On Wednesday afternoon, the company announced that even more customer data had been stolen in a separate breach; this time, information on one billion accounts was compromised. (Yes, that's billion, with a “B.”) In the announcement, the company explained that it had recently been working with law enforcement on identifying data files that turned out to be Yahoo user data.
“Based on further analysis of this data by forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” the company said in its release.
One billion compromised accounts
Unfortunately for the company and users, there will be no double dipping when it comes to compromised accounts. The company said that it believed this breach was distinct from the 500 million breached accounts that were announced in September.
Affected accounts have a potential litany of information that was exposed as part of the breach, including names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and security questions and answers. Like the September breach, payment card data, passwords in clear text, and bank account information was not compromised, the company said.
Yahoo believes the cause of the breach is connected to what forensic experts call “forged cookies.” These small files are generally used to store small amounts of data about specific clients or websites. In this case, hackers used forged versions to access users’ account data without needing a password.
Yahoo says that it has invalidated these forged cookies and is notifying affected account holders. It is also in the process of nullifying unencrypted security questions and answers so that hackers cannot use them to gain further access to accounts. The company has asked users to reinforce their account security by changing passwords and security questions, reviewing their accounts for suspicious activity, and using the Yahoo Account Key authentication tool.
Updating security and avoiding scams
The fact that Yahoo has not been able to identify the intrusion, along with this being perhaps the biggest consumer data hack of all time, could be a death blow to its acquisition by Verizon, which said it will continue to evaluate the situation, according to Business Insider. The telecommunications company had reportedly been seeking a discount after details came out about the September breach, so it’s anyone’s guess what will happen to the deal going forward.
Experts have been quick to offer their opinions on the new breach, with many saying that enabling multifactor authentication is a must going forward. Intel Security Chief Gary Davis has echoed Yahoo’s sentiment that users immediately change their login credentials and security information. He also cautions users to be vigilant about scanning future messages they receive to avoid potential scams.
“As a part of overall good digital hygiene, [customers] should also be more cautious what emails they click on. In recent years, we have seen instances where cybercriminals create rich profiles of users. The more information they can collect, the more effective they can be in targeting users with social engineering attacks and other forms of scams,” he said.
“Yahoo customers should also be on the lookout for calls from people claiming to be with a well-known technology company and asking for account access or the IRS requesting credit card numbers, passwords to certain accounts or other forms of personally identifiable information.”