Yahoo disclosed an even more massive security breach — saying that data from more than 1 billion user accounts was stolen by an unknown party in 2013 — than the one it revealed in September.
The major revelations that hackers have preyed on Yahoo’s weak security systems poses a threat to Verizon’s $4.8 billion proposed acquisition of the internet company. The security breaches could lead the telco to negotiate the price down, or even abandon the deal altogether.
Asked for comment, a Verizon spokesman said, “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”
The 2013 incident is easily the biggest security breach on record. Yahoo said in September that information on at least 500 million email accounts was stolen by “state-sponsored” hackers in 2014. According to Verizon, it had only been informed of the scope of the breach two days prior to Yahoo’s Sept. 22 announcement. Subsequently, Verizon general counsel Craig Silliman said the disclosure represented a “material” event, which could prompt the terms of the deal to be renegotiated.
The 1 billion-plus accounts hacked in August 2013 were “likely distinct” from the previously reported breach, Yahoo said, although it said it has connected some of the activity in the 2013 incident to the same hacker or hackers thought to be behind the 2014 breach. The company said it discovered the larger hack after reviewing data files provided by law enforcement and analyzed them with the assistance of outside forensic experts and found that it appeared to be Yahoo user data.
According to Yahoo, the user account information stolen in 2013 may have included: names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. “The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information,” the company said. Yahoo also said users’ payment card data and bank account information are not stored in the system it believes was compromised.
Based on its ongoing investigation, Yahoo said, it believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies — which web browsers use to track users — and that could have allowed an intruder to access user accounts without a password. Yahoo is notifying affected account holders, and has invalidated the forged cookies.
Previously, experts said Yahoo’s costs associated with the security breach will run into the tens of millions of dollars. The security breach disclosed in September has already led to at least 23 proposed class-action lawsuits by users who claim they were affected.