Yahoo Discloses New Breach of 1 Billion User Accounts
Verizon, which has struck a deal to buy company’s core business, will review impact of new breach
On Wednesday, Yahoo said an unauthorized third party stole data associated with more than one billion user accounts in August 2013. In September, Yahoo blamed “state-sponsored” hackers for stealing data on 500 million user accounts, which at the time was the largest theft of personal user data ever disclosed.
Yahoo agreed to sell its core business to Verizon Communications Inc. and the $4.83 billion transaction was expected to close early in 2017. The two sides were discussing the impact of the first data breach when the second was discovered.
“We will evaluate the situation as Yahoo continues its investigation,” Verizon said Wednesday in a statement. “We will review the impact of this new development before reaching any final conclusions.”
The telecom company learned of the latest breach in the past few weeks, a person familiar with the matter said. The company still has all options on the table, including renegotiating the deal’s price or walking away, the person said.
Yahoo said it has taken steps to secure user accounts and is working closely with law enforcement.
In November, Yahoo disclosed law enforcement gave the company data files that a third party claimed was Yahoo user data. On Wednesday, the company confirmed it appears to be Yahoo user data.
Yahoo said it hasn’t identified the intrusion associated with the theft but believes it is likely distinct from the incident the company disclosed in September.
The stolen data in both cases may have included names, email addresses, dates of birth, telephone numbers, encrypted passwords and unencrypted security questions and answers, Yahoo said.
The company urged users to review all of their online accounts and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. It also recommended users avoid clicking links or downloading attachments from suspicious emails and remain cautious of unsolicited communication asking for personal information.
Separately, Yahoo, which had previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password, said Wednesday it believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. Yahoo is notifying affected account holders, and has invalidated the forged cookies.
Yahoo said it has connected some of the activity disclosed Wednesday to the same state-sponsored actor believed to be responsible for the data theft disclosed in September.
Shares in the company lost 2.4% after hours to $39.92.
—Ryan Knutson contributed to this article.