14 DAY TRIAL // Yahoo has just confirmed that more than 1 billion accounts got hacked in 2013 by what the company believes to be a “state-sponsored actor” who was also responsible for breaching 500 million accounts in a separate attack that the firm announced earlier this year.
Yahoo said in a lengthy security announcement that information provided by law enforcement and which was closely analyzed by the company indicated that third parties were able to access Yahoo user data, and after investigations conducted by both the firm and outside forensic experts, they “found that it appears to be Yahoo user data.”
As a result, the company says that it came to the conclusion that in August 2013, an unauthorized third-party managed to access data of no less than 1 million accounts, including here names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
Yahoo says that stolen passwords were not saved in clear text, and cards or bank account information was not accessed because they are stored on a different system.
Furthermore, it appears that attackers managed to forge cookies and gain access to accounts without passwords, with Yahoo explaining that it already discovered accounts that were accessed using this method. The company invalidated the cookies to block unauthorized access.
State-sponsored attack
For the moment, there’s no information as to who could be behind the attack, but Yahoo says it believes that the breach was made by the same hackers who managed to break into the other 500 million accounts that the firm announced earlier this year.
“We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016,” it says.
At this point, Yahoo is notifying users to reset their passwords, and the company recommends users to change passwords, security questions, and answers for every Yahoo account. You should avoid clicking on any links or attachments coming from suspicious sources, and review all accounts for third-party activity, the firm says.
“We’ve taken steps to secure those user accounts and we’re working closely with law enforcement,” the company says. “We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”
You can read the full Yahoo announcement in the box below.