The personal information of over one billion Yahoo users has been compromised, shattering the company’s own humiliating record for the biggest security breach in history.
The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago . That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
“It’s shocking,” security expert Avivah Litan of Gartner Inc.
Both lapses occurred during the reign of Yahoo CEO Marissa Mayer, a once-lauded leader who found herself unable to turn around the company in the four years since her arrival. Earlier this year, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion — a deal that may now be imperiled by the hacking revelations.
Yahoo didn’t say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn’t been able to identify the source behind the 2013 intrusion.
Yahoo has more than a billion monthly active users, although some have multiple accounts and others have none at all. An unknown number of accounts were affected by both hacks.
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.
But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.
That could mean trouble for any users who reused their Yahoo password for other online accounts. If you think you’ve been effected, here’s what to do —
Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password and questions since September.)
Yahoo encourages users to “review all of their online accounts for suspicious activity and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account.”
If you are still worried about your account being hacked, head to the website haveibeenpwned.com. It will tell you how many times your email address has been involved in a hack, and what specific information was compromised.
Security experts said the 2013 attack was likely the work of a foreign government fishing for information about specific people. One big tell: It doesn’t appear that much personal data from Yahoo accounts has been posted for sale online, meaning the hack probably wasn’t the work of ordinary criminals.
That means most Yahoo users probably don’t have anything to worry about, said J.J. Thompson, CEO of Rook Security.
News of the additional hack further jeopardizes Yahoo’s plans to fall into Verizon’s arms. If the hacks cause a user backlash against Yahoo, the company’s services wouldn’t be as valuable to Verizon, raising the possibility that the sale price might be re-negotiated or the deal may be called off. The telecom giant wants Yahoo and its many users to help it build a digital ad business.
After the news of the first hack broke, Verizon said it would re-evaluate its Yahoo deal and in a Wednesday statement said it will review the “new development before reaching any final conclusions.” Spokesman Bob Varettoni declined to answer further questions.
At the very least, the security lapses “definitely will help Verizon in its negotiations to lower the price,” Litan predicted. Yahoo has argued that news of the 2014 hack didn’t negatively affect traffic to its services, strengthening its contention that the Verizon deal should be completed under the original terms.
“This just adds fuel to the fire and it won’t help Yahoo’s cause,” said Eric Jackson, a longtime critic of the company’s management. Although he has in the past, Jackson doesn’t currently own Yahoo stock.
Investors appeared worried about the Verizon deal. Yahoo’s shares fell 96 cents, or 2 percent, to $39.95 after the disclosure of the latest hack.
The Associated Press contributed to this article.
Computers can be beneficial. However, in many way, the old way of keeping records was more secure.
That’s what Osama bin Laden and Al Qaeda did. No traceable cell phones or GPS tracking at all. Multiple Couriers delivering fragmented verbal messages. Look how long it took us to track him down. Low-tech may soon become the new high-tech.
Yahoo lol I use a fake name on it anyway.
i blame a lot of this on the outsourcing to pakistan ???????????
nothing is secret on the internet !
nothing is secret on the internet ! ????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????
Well I believe that this was not good what happen to wedsites hackers break in to put in this way there s note to beat the eye nothing for Free there has to be Money involved in this hidden Party that had plan to do this ya hater out there no Gang Hackets does this for nothing there s millions of Money involved how come the Hackers has n got gut yet there s alot of meant people out there evverybody should be aware of that Be very CAUTION what you do on any Wedsites Nationwide do not give your teal name out Specially your Phone Number I was Hacked on Facebook thats enough for me beware of Telegram Messenger my Identify was Stolen by a Lady who pretend she was Me Stolen Everything my Number was used for to take Money from Outside Teller from ya Banks? So beware who You Give Your Num Ber too?
Lauren, please train and learn the voice dictation thingy. You just hashed the comments.
They supported Hillary the “Hun” in both the primary & general election processes maybe she can help them out of their mess; although I doubt she’ll have the time what with her upcoming high end donor thank you event. Too bad for you guys enjoy the party.
Hillary Clinton: The Russians are responsible!
Nancy Pelosi: Aided by the Republicans!
Julian Assange: Don’t say you weren’t warned.
Jill Stein: I want another recount of how many email accounts were actually hacked.
That’s a good one thanks for the smile it gave me.
I WOULD NOT PUT IT PAST VERSION TO BE THE ONE THAT HACKED THEM TO HAVE A BARGAINING TOOL TO LOWER THE THE PRICE.IN MY OPTION VERIZON HAS SOME VERY UNETHICAL BUSINESS PRACTICES.
agreed
MUST BE THE RUSSIANS, I GUESS……..OR, WAS IT GOVERNMENT?????