Yahoo has issued a security notice as it has found out that "data associated with more than one billion user accounts," was stolen in August 2013. The internet firm was tipped off by law enforcement officers and believes this hack and grab to be 'distinct' from the recently reported breach of 500 million Yahoo accounts (which actually occurred in late 2014).
In this latest reported hack and access of Yahoo data by an unauthorized third party, the following user data was swiped:
- phone numbers,
- date of birth,
- hashed passwords (MD5),
- and email addresses.
Yahoo noted that any associated bank and payment card data was not stolen. Furthermore, those affected will receive a Yahoo notification asking that the passwords are changed. Some affected users will also find that old unencrypted security questions and answers have been invalidated, for security.
If the above 1bn user account hack and September's news of half a billion accounts hacked isn't enough, Yahoo has an ongoing investigation regarding the use of 'forged cookies' to sneakily access Yahoo accounts during 2015 and 2016. Such hacker-created cookies "could allow an intruder to access users' accounts without a password," admits Yahoo.
Again, affected account holders are being notified, with the forged cookies invalidated. Interestingly, Yahoo says that the forged cookies exploit comes from "the same state-sponsored actor" believed to be responsible for the (2014) data theft disclosed in September.