Stolen Yahoo account information includes hashed passwords and personal information.
This new Yahoo data breach is separate to the state-sponsored hack the company reported back in September where 500 million user accounts were compromised. Read on to find out more.
Yahoo has blamed an “unauthorised third party” for the latest megabreach. According to the company, the attack happened in August 2013. Information stolen may include “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers”.
Yahoo believes no payment or banking information was stolen. The company has notified potentially affected users. But if you’re a Yahoo user and you haven’t heard anything from the company, it’s still recommended that you change your password. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
“We believe this incident is likely distinct from the incident we disclosed on September 22, 2016, ” Yahoo CISO Bob Lord said in a statement.
Yahoo is also investigating a security issue concerning the creation of forged cookies that could allow an intruder to access users’ accounts without a password. This issue, which was identified by external forensic experts, is related to the state-sponsored hacking incident that was reported in September:
“Based on the ongoing investigation, the outside forensic experts have identified user accounts for which they believe forged cookies were taken or used in 2015 or 2016. The company is notifying the affected account holders, and has invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on September 22, 2016.”
Verizon agreed to buy Yahoo’s web assets for $US4.83 Billion back in July is looking into the security incidents. According to an insider who spoke to The Wall Street Journal, Verizon still has the option to renegotiating the deal’s price or walking away from it entirely.