By James Rogers, ,
Published December 14, 2016
Yahoo announced Wednesday that hackers stole data from more than one billion customer accounts.
In a statement, Yahoo’s Chief Information Security Officer Bob Lord said that “an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.”
Lord explained that the breach was found by analyzing data files provided by law enforcement that an unnamed third party claimed was Yahoo user data. “We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” he said.
Yahoo has not yet identified the intrusion associated with the theft. The breach is distinct from the hack of 500 million accounts disclosed by Yahoo in September, according to the tech giant.
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers, according to Yahoo. “The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information,” Lord said. “Payment card data and bank account information are not stored in the system the company believes was affected.”
Yahoo had already disclosed that its outside forensic experts were investigating the creation of forged cookies that could let a hacker access users’ accounts without a password. “Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies,” Lord said. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies.”
Cookies are small text files that let websites recognize users and track their preferences.
In the statement, Lord added that Yahoo has connected some of the activity around forged cookies to the “same state-sponsored actor” believed to be responsible for the breach disclosed in September.
Yahoo is notifying potentially affected users and has taken steps to secure the accounts, including requiring users to change their passwords. The company has also invalidated unencrypted security questions and answers so that they cannot be used to access accounts.
Security experts say that the breach highlights the scale of current cybersecurity threats.
“These types of breaches are occurring more and more frequently, and companies like Yahoo must be taking certain precautions to secure user accounts,” said Evan Blair, co-founder of security specialist ZeroFox, in a statement emailed to FoxNews.com. “The level of trustworthiness between company and customer is in a fragile state, and it’s up organizations to employ internal security measures to prevent these types of attacks from occurring to give consumers more peace-of-mind.”
“This breach makes the job of cybercriminals that much easier,” added Shuman Ghosemajumder, CTO of Shape Security, in a statement emailed to FoxNews.com, noting that hackers could use the stolen credentials to access additional accounts. “This most recent credential spill at one of the world's largest email providers further exacerbates the risk of millions of accounts being taken over at thousands of other major websites.”
Follow James Rogers on Twitter @jamesjrogers