Yahoo discloses hack of 1bn users in latest data heist

15 Dec 2016

The timing of the latest 1bn user account breach could not be worse for Yahoo, as it could derail its acquisition by Verizon. Image: dennizn/Shutterstock

Yahoo’s takeover by Verizon has been threatened once again by another data breach revelation: more than 1bn accounts may have been accessed by ‘unauthorised’ third parties.

Just three months after Yahoo revealed that hackers may have breached 500m accounts, the company last night admitted that an unauthorised third party obtained data from more than 1bn user accounts.

Stolen information may include user names, dates of birth, email addresses etc.

The breach is understood to have occurred in August 2013 and was the result of forged cookies that hackers used to gain Yahoo’s proprietary code.

“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data,” said Bob Lord, chief information security officer at Yahoo.

“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorised third party, in August 2013, stole data associated with more than 1bn user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

“The investigation indicates that the stolen information did not include passwords in clear text, payment card data or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected,” Lord said.

Your data is now on the front line of a new Cold War

Yahoo said it is notifying all users who have been impacted by this latest hack.

In September, Yahoo revealed that the account details of 500m people were obtained by hackers as part a “state-sponsored attack”.

The idea that the latest breach might have also been “state-sponsored” is unlikely to enhance the mood in the US, where it is being alleged that Russian president Vladimir Putin was “personally involved” in a secret Russian hacking campaign to tilt the US presidential election in favour of president-elect Donald Trump.

The latest breach revelation could seriously destabilise Verizon’s $4.8bn acquisition of the company, announced in July.

Verizon acquired Yahoo because it wants to create a 1bn mobile user community to serve with advertising. However, the deal is subject to Verizon’s regulatory rules and approval by shareholders.

The timing of the revelation could not be worse for Yahoo and indeed shareholders, who may be spooked by the breach.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com