A newly revealed Yahoo data breach, which occurred in 2013, involved personal information associated with more than one billion user accounts, twice those affected in a different incursion disclosed in September.
The stolen user-account information may have included names, email addresses, telephone numbers, birthdates, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. The investigation, according to Yahoo, so far indicates the stolen information did not include passwords in clear text, payment card data, or financial account information.
The Sunnyvale, Calif.-based search company, which is being acquired by Verizon for about $4.8 billion, said an unauthorized third party stole the data and that it was working closely with law enforcement.
Yahoo said it believed the latest incident was likely distinct from the breach disclosed in September, when it revealed personal information associated with at least 500 million user accounts, including names, passwords, birthdates, and email addresses, was stolen in 2014. In a statement in September, Yahoo said the compromised information was taken by an unnamed state-sponsored actor.
“Yahoo should know that it is an invaluable target for cybercrime syndicates and nation-states and invest the resources to protect its data accordingly,” Kenneth Geers, senior research scientist at Clifton, N.J.-based cybersecurity firm Comodo Enterprise, said. “We shouldn’t forget that an insider, a rival corporation, or even a nation-state might operate purely out of selfish financial considerations,” Geers added.
Scott Fulton, technical fellow at Phoenix-based security company BeyondTrust, also commented. “Now more than ever companies need to protect themselves when other companies are compromised. We all know users reuse passwords and we can almost guarantee that the answers to user’s internal secret questions are the same as their personal secret questions.”
