Yahoo today confirmed that hackers have stolen data from over 1 billion user accounts.
The breach occurred in 2013, and Yahoo warns that stolen data may have included names, dates of birth, email addresses, telephone numbers, hashed passwords, and more.
This is a totally separate incident to the one that occurred in late 2014 when at least 500 million Yahoo accounts were compromised, however, it is believed the same hackers were behind the earlier attack that hit a much larger number of accounts.
In a post on Tumblr, Yahoo says it has taken steps to secure the accounts that have been affected, and it is now working closely with law enforcement to get to the bottom of the attack.
“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” reads the statement.
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft.”
“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” it continues.
Yahoo insists, however, that stolen data did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information was not stored on the system that is believed to have been breached.
Yahoo also believes that hackers were able to create forged cookies that allowed them to access user accounts without a password.
“Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies,” it says.
“The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies.”
Yahoo is notifying potentially affected users and has already taken steps to secure their accounts, like implementing mandatory password resets. It has also invalidated unencrypted security questions and answers so that they cannot be used again to access the accounts.
Even if you don’t get a notification from Yahoo, you should change your account password anyway. Use something that nobody could guess, and ensure none of your passwords are the same. If you used the same password elsewhere before, change that, too.
It is also recommended that you enable two-factor authentication or Yahoo Account Key. The latter eliminates the need for a password by allowing you to log into your account using a code that is sent to your phone.
If you no longer use your Yahoo account or any of the services associated with it, you might want to just close it down instead.
