NEW YORK – Yahoo says it believes hackers stole data from more than one billion user accounts in August 2013, in what is thought to be the largest data breach at an email provider.
The Sunnyvale, California, company was also home to what’s now most likely the second largest hack in history, one that exposed 500 million Yahoo accounts . The company disclosed that breach in September. Yahoo said it hasn’t identified the intrusion associated with this theft.
Yahoo says the information stolen may include names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.
But the company said hackers may have also stolen passwords from the affected accounts. Technically, those passwords should be secure; Yahoo said they were scrambled twice – once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.
WATCH: Professor Peter Sommer, a cyber security expert, told the Associated Press he’s not inclined to believe the hack was state-sponsored.
That could mean trouble for any users who reused their Yahoo password for other online accounts.
Questions for Verizon
The new hack revelation raises fresh questions about Verizon’s $4.8 billion proposed acquisition of Yahoo, and whether the big mobile carrier will seek to modify or abandon its bid. If the hacks cause a user backlash against Yahoo, the company’s services wouldn’t be as valuable to Verizon. The telecom giant wants Yahoo and its many users to help it build a digital ad business.
In a statement, Verizon said that it will evaluate the situation as Yahoo investigates and will review the “new development before reaching any final conclusions.” Spokesman Bob Varettoni declined to answer further questions.
Yahoo said Wednesday that it is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts.