December 15th 2016
Internet giant Yahoo! says that over one billion user accounts may have been affected in a hacking attack which took place in August 2013. If you have a Yahoo! account, you are strongly advised to change your password and security question.
Names, phone numbers, passwords and email addresses were stolen, but not bank and payment data, according to the company, which says it is working with the police and other authorities.
Apparently, this is separate from a 2014 breach which was revealed in September this year, when Yahoo! revealed that 500 million accounts had been accessed. However, it has come to light as part of continuing investigations by security experts and law enforcement into the later breach.
Yahoo! has over a billion monthly active users, including many who have multiple accounts. It also has many dormant or little used accounts.
Cyber security expert Troy Hunt told the BBC: "This would be far and away the largest data breach we've ever seen. In fact, the 500 million they reported a few months ago, would have been, and to see that number now double is unprecedented. Yahoo hasn't attributed the attack to any state-sponsored activity as they did with the previous incident. They've referred to the tampering of cookies, though, which gives us some useful insight into where the vulnerability may have existed in their system."
Yahoo! has attributed the 2014 breach to a “state-sponsored actor", but has not revealed which country it believes to have perpetrated the attack.
Acquisition could be affected
Yahoo! is currently the subject of a proposed US$4.8bn takeover by US mobile carrier Verizon, which has said that it will evaluate the situation in the light of the latest revelation. Troy Hunt believes that Verizon devalued Yahoo! by US$1bn after the news emerged of the 2014 attack.