Yahoo Confirms Theft of Information from More Than One Billion User Accounts

Hack breaks company's own record for largest data breach ever

Yahoo Confirms Theft of Information from More Than One Billion User Accounts
December 15, 2016

Nearly three months after announcing a 2014 data breach affecting the accounts of hundreds of millions of users, Yahoo has confirmed that someone hacked its defenses again and stole information from more than one billion user accounts.

NPR reports that the stolen information included names, email addresses, telephone numbers, dates of birth, and encrypted or unencrypted security questions and answers.

In a statement notifying users of the hack, Yahoo said that it "has taken steps to secure user accounts and is working closely with law enforcement." The company believes that the hack happened in August 2013 and is a separate incident from the 2014 attack, though the same type of information was stolen in both.

Yahoo believes that users' financial information was not affected by this breach.

"Payment card data and bank account information are not stored in the system the company believes was affected," it wrote.

The company is informing users whose accounts may have been affected and "has taken steps to secure" those accounts, such as requiring the user to change the account password.

The News & Observer noted that the company did not mention whether or not it thinks the same hacker was behind both attacks. It blamed the 2014 breach on "a hacker affiliated with an unidentified foreign government"; however, it has so far been unable to determine the source of the 2013 hack.

Not everyone believes that it came from the same source, as Birmingham City University Digital Forensics Specialist Professor Peter Sommer told the BBC.

"At the moment I'm not [convinced]," he said. "What on earth is a state going to do with one billion accounts of ordinary users? That's the difficulty I have."

This revelation of a second large-scale hack—a breach even bigger than the first—could jeopardize the proposed purchase of Yahoo by Verizon. The discovery may lead Verizon to lower its original proposed price of $4.8 billion or even abandon the deal altogether.

"If the hacks cause a user backlash against Yahoo," writes the BBC, "the company's services would not be as valuable to Verizon."

Verizon stated that it will analyze the situation while Yahoo investigates the breach and will review the "new development before reaching any final conclusions."