Yahoo Confirms Another Major Data Breach; More Than 1 Billion Users Affected

Image courtesy of Yahoo

Remember how, just three months ago, Yahoo had to admit that data for more than 500 million of its users had been compromised in 2014? It seems ridiculous to refer to something that hit 500 million people as the “smaller” of anything, but it turns out that was only the second overwhelmingly huge data breach Yahoo suffered in recent years. This week, it’s admitting a previous, even larger intrusion that hit more than a billion — yes, with a B — user accounts.

This breach happened in 2013, Yahoo writes, and is “likely distinct from” the other breach they disclosed in September. The stolen data, however, comprises the same categories, including:

  • Names
  • E-mail addresses
  • Telephone numbers
  • Dates of birth
  • Hashed passwords
  • Encrypted and unencrypted security questions and answers

Yahoo also believes that some bad actors got access to proprietary code in order to forge cookies that let them log into users’ accounts without even having a password, stolen or otherwise. The forged cookie incident, the company says, is probably related to the breach it reported in September.

Yahoo says it will be notifying “potentially affected users,” but since that number is in the billions it seems safe to assume that means basically everybody. All potentially affected users (again, basically everyone) will be required to reset their password, and will have their existing unencrypted security questions and answers invalidated.

Don’t consider yourself a Yahoo user? You still might be: in addition to all the Yahoo!-branded services and platforms the company offers, it also acquired Flickr in 2005 and Tumblr in mid-2013.

As for what users can do, good old-fashioned security rules mostly apply:

  • If you have a Yahoo account, change the password on it now
  • If you ever used the same password anywhere else as on your Yahoo account ever, change those now
  • Enable two-factor authentication (that thing where you get a secondary code texted to you) on every one of your accounts that you can
  • Consider using a password manager
  • If you use Yahoo as a login service for any other service, consider changing your accounts there, too

The FTC also maintains a step-by-step, customizable guide for consumers who have been the victim of data theft at IdentityTheft.gov, which is a useful resource if you’ve been part of basically any hack, breach, or other, more severe data loss.

News of this second breach is unlikely to go over well with, well, basically anyone. Yahoo was already facing Senate inquiries over the half-billion accounts hacked in 2014. And then there’s that whole merger with Verizon thing, which is already looking troubled after it turned out that someone at Yahoo may have known about the 2014 hack more than two years before it was publicly disclosed.

Anything that affects the value of Yahoo in a big negative way can be a “material event” that lets Verizon walk away. Verizon leadership has already said that the 2014 hack may well be such a material event, so it’s hard to see how another bilion-user hack a year earlier wouldn’t be as well.