Yahoo today has announced its second large hack in a matter of 3 months. In a post on the company’s Tumblr account, Yahoo’s chief information security officer Bob Lord announced that, in 2013, data from more than 1 billion user accounts was accessed by an unauthorized third-party. This revelation comes after Yahoo confirmed in September that 500 million user accounts were affected by a separate data breach.
Ecobee HomeKit Thermostat
Yahoo first became suspicious regarding the hack last month when law enforcement provided the company with data files from a third-party who claimed that it was Yahoo user account information. Yahoo then began an investigation with the help of outside forensic experts, thus confirming that it was in fact data from its users.
Yahoo says that affected accounts may have had data stolen such as email addresses, telephone numbers ,dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
Perhaps what’s most notable concerning this hack, however, is that Yahoo has still not identified how the data was stolen.”We have not been able to identify the intrusion associated with this theft,” Lord wrote. Yahoo believes, however, that this instance is separate from the September hack.
Yahoo says that it is notifying potentially affected users and is taking steps to secure those accounts. The company has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
But, it gets worse. Yahoo also today announced that a third-party used Yahoo code to forge cookies and gain the ability to access user accounts without having to enter a password.
Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies.
The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.
Needless to say, this is very much an instance of Yahoo’s bad year getting worse, who is in the process of closing acquisition deal with Verizon. News of this hack, however, will only give Verizon a leg up in the negotiation process, perhaps even enough power to walk alway from the deal altogether or dramatically reduce the price.
If you believe your account was affected, Yahoo recommends to change your password immediately. At this point, however, it might be wise to step and ask yourself, “do you really need a Yahoo account?”