Yahoo Discloses New Breach of 1 Billion User Accounts
Verizon, which has struck a deal to buy the company’s core business, says it will review the impact of the new breach
The Yahoo logo is shown at the company's headquarters in
By Anne Steele
THE WALL STREET JOURNAL
Updated Dec. 14, 2016 5:26 p.m. ET
Yahoo Inc. revealed new security issues affecting more than a billion users’ data, a theft that is separate and twice as large as the hack it disclosed earlier this year.
On Wednesday, Yahoo said an unauthorized third party stole data associated with more than one billion user accounts in August 2013. In September, Yahoo blamed “state-sponsored” hackers for stealing data on 500 million user accounts, which at the time was the largest theft of personal user data ever disclosed.
Yahoo, which has agreed to sell its core business to Verizon Communications Inc., said it has connected some of the activity disclosed Wednesday to the same state-sponsored actor believed to be responsible for the data theft disclosed in September.
On Wednesday, Verizon said it would review the impact of the new breach.
Yahoo said it has taken steps to secure user accounts and is working closely with law enforcement.
In November, Yahoo disclosed law enforcement gave the company data files that a third party claimed was Yahoo user data. On Wednesday, the company confirmed it appears to be Yahoo user data.
Yahoo said it hasn’t identified the intrusion associated with the theft but believes it is likely distinct from the incident the company disclosed in September.
Earlier Coverage
What Yahoo Users Can Do After the Hack (Sept. 22)
It’s Time to Cancel Your Forgotten Internet Accounts (Sept 23)
Yahoo Breach Raises Questions About Password Resets (Sept. 28)
The stolen data in both cases may have included names, email addresses, dates of birth, telephone numbers and encrypted passwords, Yahoo said.
The company urged users to review all of their online accounts and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. It also recommended users avoid clicking links or downloading attachments from suspicious emails and remain cautious of unsolicited communication asking for personal information.
Separately, Yahoo, which had previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password, said Wednesday it believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. Yahoo is notifying affected account holders, and has invalidated the forged cookies.
Shares in the company lost 2.4% after hours to $39.92.
Verizon, which has struck a deal to buy the company’s core business, says it will review the impact of the new breach
The Yahoo logo is shown at the company's headquarters in
By Anne Steele
THE WALL STREET JOURNAL
Updated Dec. 14, 2016 5:26 p.m. ET
Yahoo Inc. revealed new security issues affecting more than a billion users’ data, a theft that is separate and twice as large as the hack it disclosed earlier this year.
On Wednesday, Yahoo said an unauthorized third party stole data associated with more than one billion user accounts in August 2013. In September, Yahoo blamed “state-sponsored” hackers for stealing data on 500 million user accounts, which at the time was the largest theft of personal user data ever disclosed.
Yahoo, which has agreed to sell its core business to Verizon Communications Inc., said it has connected some of the activity disclosed Wednesday to the same state-sponsored actor believed to be responsible for the data theft disclosed in September.
On Wednesday, Verizon said it would review the impact of the new breach.
Yahoo said it has taken steps to secure user accounts and is working closely with law enforcement.
In November, Yahoo disclosed law enforcement gave the company data files that a third party claimed was Yahoo user data. On Wednesday, the company confirmed it appears to be Yahoo user data.
Yahoo said it hasn’t identified the intrusion associated with the theft but believes it is likely distinct from the incident the company disclosed in September.
Earlier Coverage
What Yahoo Users Can Do After the Hack (Sept. 22)
It’s Time to Cancel Your Forgotten Internet Accounts (Sept 23)
Yahoo Breach Raises Questions About Password Resets (Sept. 28)
The stolen data in both cases may have included names, email addresses, dates of birth, telephone numbers and encrypted passwords, Yahoo said.
The company urged users to review all of their online accounts and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. It also recommended users avoid clicking links or downloading attachments from suspicious emails and remain cautious of unsolicited communication asking for personal information.
Separately, Yahoo, which had previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password, said Wednesday it believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. Yahoo is notifying affected account holders, and has invalidated the forged cookies.
Shares in the company lost 2.4% after hours to $39.92.