Yahoo believes, based on third-party forensic evidence, that someone stole user data from 1 billion Yahoo accounts in 2013, according to a press release from the company. This theft, it says, is likely separate from the hack of 500 million accounts it disclosed in September.
The company received information about the breach from law enforcement on Nov. 7, 2016, according to a spokesperson. But the company has not been able to identify the perpetrators of the billion-account hack, the press release said. Yahoo is requiring all potentially affected users to change their passwords and password recovery questions.
The data may have included “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” Credit card info was not affected, according to Yahoo.
Flickr users should also change their passwords and otherwise ensure their accounts are secure.
In early August 2016, a person on the Dark Web going by the name "Peace" listed data from 200 million Yahoo accounts for sale. At the time Yahoo said it was aware of the listing, but it did not issue a password reset.
A source close to the investigation told BuzzFeed News Yahoo looked into Peace’s claim in July 2016 and found no direct evidence to substantiate it. According to the source, however, Yahoo then began another, wider investigation that led it to discover the breach of 500 million accounts.
In October 2016, Reuters reported that Yahoo had built custom software for US intelligence to spy on Yahoo Mail users, which also incurred the ire of cybersecurity experts and Yahoo users alike, though Yahoo denied the existence of the software.
This new hack, especially when considered with the 500 million account hack in September, may affect the proposed $4.8 billion sale of Yahoo’s core business to Verizon. Reuters earlier reported that Verizon pushed for a $1 billion discount on the deal.
Verizon reiterated its statement from the September hack: "As we've said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions."
Arun Vishwanath, a professor of communications at the University of Buffalo who studies cybercrime, said that since many people use one password for multiple accounts, the Yahoo hackers are likely attempting to breach other accounts across the internet.
"The most likely thing hackers have done is harness the passwords to effect targeted attacks or for conducting widespread DDoS-type attacks using the known password combinations, as we saw with the recent Dyn attack," Vishwanath said.
He recommends changing your passwords, enabling multifactor authentication, and logging out after each email session.
Yahoo's security failings may embroil it with lawmakers.
Senator Mark Warner, founder of the Senate Cybersecurity Caucus, said in a statement, "While I have repeatedly asked for briefings from Yahoo on the disclosure of its 2014 breach and have yet to receive a response, this most recent revelation warrants a separate follow up and I plan to press the company on why its cyber defenses have been so weak as to have compromised over a billion users."
Blake Montgomery is a reporter for BuzzFeed News and is based in San Francisco.
Contact Blake Montgomery at firstname.lastname@example.org.
Got a confidential tip? Submit it here.