The Atlanta Journal-Constitution
Yahoo says 1 billion user accounts were hacked in 2013,
Company previously cited the hacking of 500 million accounts.
Yahoo said Wednesday that 1 billion user accounts — meaning most of the Internet giant’s customers worldwide — were hacked by a “state-sponsored” attacker in 2013, leading to the release of user names, telephone numbers, dates of birth and other personal information.
The report of the hack, coming after the announcement of a separate hack affecting 500 million accounts in September, means that Yahoo has been the victim of two of the biggest data breaches in history, both of which have been announced since Yahoo agreed to sell its core businesses to telecommunications giant Verizon in July for $4.8 billion.
The incident raised new questions among analysts regarding the viability of that deal and whether the valuation will need to be changed, especially if the series of hacks triggers litigation against the company.
“The fact that we now have two breaches implies that Yahoo security measures were inadequate. So it is more likely there will be future breaches uncovered,” said analyst Laura Martin, senior analyst for entertainment and internet at Needham Equity Research. “It sounds to me like they never knew about any of these breaches meant they never fixed the problem. That implies that the assets are actually less valuable than we thought.”
In the 2013 incident, Yahoo said, credit card and bank account numbers, which are stored separately, were not affected. The company is requiring customers who were affected to change their passwords.
The company said hackers, however, may have stolen passwords from the affected accounts. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.
That could mean trouble for any users who reused their Yahoo password for other online accounts.
Yahoo also reported a separate incident Wednesday in which hackers used what the company called “forged cookies” to gain access to some accounts, though it did not give the number affected. That incident, the company said, appeared to have links to the one announced in September.
“Yahoo encourages users to review all of their online accounts for suspicious activity and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account,” the company said in a statement. “The company further recommends that users avoid clicking links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information.”
Verizon spokesman Bob Varettoni said, “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”
Regarding the deal, Yahoo said in a statement, “We are confident in Yahoo’s value and we continue to work towards integration with Verizon.”