“Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” according to Bob Lord, chief information security officer of the Sunnyvale, Calif-based tech firm said. “The company has not been able to identify the intrusion associated with this theft.”
“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” he added.
Yahoo advised users to review all of their online accounts for suspicious activity and to change their passwords as well as security questions and answers for any of their accounts on which they use the same or similar information used for their Yahoo accounts.
The company also warned users to avoid clicking links or downloading attachments from suspicious emails and be cautious of unsolicited emails that ask for personal information.
Yahoo recommended using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
The breath of information was stolen is substantial.
Yahoo said the stolen information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and in some cases, encrypted or unencrypted security questions and answers.
However, Yahoo said, its initial investigation indicates that the passwords in clear text, payment card data, or bank account information, were not among the data stolen.
“Payment card data and bank account information are not stored in the system the company believes were affected,” a security bulletin from the company said.
Yahoo it said it learned of the attack after an analysis of data provided by law enforcement authorities.
“As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data,” Lord said, “The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data.”
Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft.
“The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used,” Lord said. “We are notifying the affected account holders, and have invalidated the forged cookies.”
Yahoo has had a long history of security problems.
There have been media reports that Yahoo employees were aware as early as 2014 of the intrusion which led to the theft of data from 500 million users this September.
American mobile company Verizon Wireless agreed to purchase Yahoo for $4.83 billion in July.
The security breaches have led to speculations that Verizon might ask for a $1 billion discount on the sale of the company. In an interview with tech publication TechCrunch, a Verizon spokesperson said the mobile firm will “review the impact of the new development before reaching a final conclusion.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…