Yahoo hacked again, more than one billion accounts stolen

The company said the attack was 'likely distinct' from a separate hack in September 2014.
Written by Zack Whittaker, Contributor

(Image: file photo)

Yahoo has disclosed that more than one billion accounts may have been stolen from the company's systems in another cyberattack.

The company said in a statement Wednesday after the markets closed that unnamed attackers stole the accounts in August 2013, a year prior to a previously disclosed attack, in which attackers stole around 500 million accounts in September 2014.

The company wasn't able to identify the intrusion associated with the August 2013 breach.

The statement said the hackers may have stolen names, email addresses, telephone numbers, hashed passwords (using the weak, easy-to-crack MD5 algorithm), dates of birth, and in some cases, encrypted or unencrypted security questions and answers.

Yahoo said it has invalidated unencrypted security questions and answers so that they cannot be used to access affected accounts.

Payment card data and bank account information, stored in separate systems, are not thought to have been stolen in the attack.

Source code stolen

The company admitted that hackers may have developed a way of accessing accounts without a password by stealing Yahoo's secret source code.

"Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies," which can be used to store authentication credentials locally.

"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used," the statement said.

Yahoo has also invalidated the cookies.

Reporting delay 'unacceptable'

It's the latest security blow against the former internet giant, which earlier this year -- just as it was being bought by Verizon for $4.8 billion -- said it had been attacked by "state-sponsored" hackers.

Yahoo still hasn't said who behind the attack, nor which state may have sponsored the hackers.

Verizon reiterated its statement on Wednesday, saying it "will evaluate" the purchase as Yahoo continues its investigation.

The news likely won't help confidence in the company that was heavily criticized by six leading senators for taking two years to disclose the September 2014 breach.

When reached, a Yahoo spokesperson said in an email that the company is "working closely with law enforcement."

Yahoo was down more than 2.5 percent in after-hours trading on the Nasdaq in New York.

Editorial standards