Yahoo is coming under fire from security experts after the tech giant confirmed that more than one billion customer accounts have been compromised in a massive data breach.
“This is the Exxon Valdez of security breaches. 1 billion accounts compromised, when there are only 3 billion people with Internet access in the world,” said Jeff Williams, CTO of Contrast Security, in a statement emailed to FoxNews.com. “Many people use Yahoo email as their primary account. That means the attackers could reset passwords for bank accounts, medical providers, credit card accounts, etc… and retrieve the password reset email from the Yahoo victims.”
In a statement released Wednesday, Yahoo said that an unauthorized third party stole data associated with more than one billion user accounts in August 2013. The stolen account information may have included names, email addresses, telephone numbers, dates of birth, “hashed” passwords (which use an algorithm to protect the password), and, in some cases, encrypted or unencrypted security questions and answers, according to Yahoo. However, the company’s probe indicates that the stolen information did not include clear text passwords, payment card data, or bank account data. Yahoo said that payment card and bank account information are not stored in the system it believes was compromised.
The breach disclosure comes hot on the heels of a separate hack of 500 million accounts confirmed by Yahoo in September, which related to data stolen in late 2014.
The company believes the August 2013 intruder accessed Yahoo’s proprietary code to learn how to forge cookies. Widely used on the Web, cookies are small text files that let websites recognize users and track their preferences.
Yahoo confirmed that the stolen data include passwords hashed, or protected, with the MD5 algorithm, which many experts consider insecure.
“Some of the practices that Yahoo has disclosed as part of this breach, such as using MD5 for hashing passwords and using a forgeable cookie algorithm, are just reckless,” Williams of Contrast Security told FoxNews.com.
“Yahoo should know that it is an invaluable target for cybercrime syndicates and nation-states and invest the resources to protect its data accordingly,” added Kenneth Geers, senior research scientist, at cybersecurity firm Comodo, in a statement “The use of vulnerable MD5 hashes suggests that Yahoo was not paying sufficient attention to security.”
Experts have also voiced concern that the latest breach disclosed by Yahoo occurred way back in 2013, leaving users’ data exposed for more than three years.
“These accounts have been compromised for years and the sheer number of accounts means this has been a large source of identity theft already,” said Tyler Moffitt, senior threat research analyst at Internet security company Webroot, in a statement emailed to FoxNews.com.
“Given that this, the largest hack of all time, took place over three years ago, the damage may already have been done, but Yahoo users should immediately change passwords and security questions as well as enable 2-factor authentication,” added Adam Levin, founder of identity protection specialist IDT911, in a statement.
Two-factor, also known as ‘two-step’ verification, is a method of bolstering users’ online security. In addition to a password, additional login data could be used, such as a code sent to a cell phone.
"This is more of the same bad news for every Yahoo! user,” said Paul Martini, CEO of iboss Cybersecurity, in a statement emailed to FoxNews.com. “What's really shocking about this latest breach is that everyone with a Yahoo! account has now likely had their personal information stolen two or three times. Had Yahoo! simply taken steps to monitor network data for evidence of the theft in real time, this could have been largely prevented.”
Yahoo said Wednesday that it connected some of the activity around forged cookies to the “same state-sponsored actor” believed to be responsible for the breach disclosed in September.
Yahoo has not yet responded to a request for comment on this story from FoxNews.com.
Follow James Rogers on Twitter @jamesjrogers