Yahoo has confirmed that around 1 billion of its accounts were hacked in August 2013 and user-data stolen, in what is being considered a much worse hack than the one that occurred in 2014. The Internet bigwig had admitted in September 2016 that 500 million of its accounts had been compromised.
'More than 1 billion'
According to a statement from Yahoo put on Tumblr: "As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data."
It added: "Based on further analysis of this data by the forensic experts, we believe an unauthorised third party, in August 2013, stole data associated with more than 1 billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016."
What was stolen?
According to Yahoo, stolen information may have included names, email addresses, telephone numbers, dates of birth and hashed passwords. Encrypted or unencrypted security questions and answers may also have been stolen. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."
Given the kind of data that was stolen, the perpetrator could easily commit identity theft by creating accounts to impersonate legitimate people and committing cybercrimes in their name. Also, although clear-text password was not stolen, the passwords of original accounts can be changed because the hackers have access to their security questions and security answers.
Yahoo had earlier said that its forensic experts were investigating the forged cookies, which could allow a hacker to access users' accounts without a password. It also said that an unauthorised third party might have accessed the proprietary code and learnt how to forge cookies.
"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."