Yahoo Chief Information Security Officer (CISO) Bob Lord admitted today that Yahoo suffered a second data breach during which an unknown third-party had stolen information on more than one billion Yahoo users.
According to Lord, the incident took place in August 2013, and Yahoo found out about in November after law enforcement provided the company with the alleged stolen data.
Attacker(s) stole user personal details, hashed passwords, and more
An investigation together with an external forensics firm confirmed the stolen data was taken from Yahoo servers.
Yahoo says the attacker managed to steal user data such as names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
The attacker(s) didn't steal plaintext passwords, payment card data, or bank account information. Yahoo says this information was stored on other servers, to which the attackers weren't able to access.
2013 and 2014 Yahoo breaches aren't related
Today's announcement comes three months after Yahoo admitted in September to a data breach during which an attacker stole details for over 500 million users.
Yahoo blamed the hack on a "state-sponsored actor," and said the incident took place somewhere in late 2014. Lord said the two incidents don't appear to be related.
Documents filed with the SEC in early November revealed that Yahoo knew of the first data breach since 2014, when it happened, and not in 2016.
Yahoo confirms 2014 hacker accessed some user accounts
The same documents revealed that the suspected state-sponsored actor behind the first (2014) hack used forged cookies to access the accounts of some Yahoo users.
Lord confirmed the SEC report today, and also revealed the state-sponsored actor also accessed parts of Yahoo's source code that allowed him to forge the cookies of Yahoo users.
The Yahoo exec says the company notified any affected users whose accounts were accessed using the forged cookies, and has invalidated the forged cookies, and hardened its cookie security system against similar attacks.
On top of this, the company has started the notification procedure for users affected by the newly disclosed security incident. Yahoo is currently asking users to reset passwords and choose new security questions and answers.
Comments
NickAu - 7 years ago
Wow a billion accounts hacked, that would have to be some sort of record?
campuscodi - 7 years ago
It is. Yahoo now holds the top 2 spots in terms of data breaches. The 1 billion breach is #1, and the 500 million breach is #2.
DeimosChaos - 7 years ago
Wow.... yahoo should just give up.
JohnC_21 - 7 years ago
I'd like to be a fly on wall at Verizon's headquarters. They should seriously rethink the buyout.
I have a junk yahoo email account and I received an email from Yahoo requesting that I change my password. I used my current password and the change completed. Yahoo couldn't verify that a person inputted their current password? That must tell you something about Yahoo's security.
Wolverine 7 - 7 years ago
"state-sponsored actor" is often code for "please don't blame us for our shoddy security
Well, it turns out that Yahoo! had shoddy security and it was a bunch of criminals that hacked them.
https://www.schneier.com/blog/archives/2016/09/the_hacking_of_.html