Yahoo confirmed yesterday that they have discovered a breach of over one billion user accounts. This breach is believed to occur around August 2013. Apart from this, there was also a theft of data of more than 500 million user accounts this September.
Bob Lord, Chief Information Security Officer, said that the company is yet to determine how the data was stole. “We have not been able to identify the intrusion associated with this theft,” said Lord in his post that reported the hack. He also added that, “The stolen user account information may have included names, email addresses, telephone numbers, date of birth, hashed password (using MD5) and, in some cases, encrypted or unencrypted security questions and answers”
Yahoo also said that its proprietary code has been accessed by hackers, who used it to forge cookies through which accounts can be accessed without passwords. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies”. Bob Lord also added that he believes the attack was launched from state-sponsored actor.
This breach adds to Yahoo’s long chain of security problems. What executives know and when they came to know about it, are crucial questions in Yahoo’s ongoing acquisition by Verizon. Verizon agreed to buy Yahoo for $4.83 billion in July 2016. Though, the recent security incidents have led to a speculation that Verizon might lower the price by $1 billion.
“As we have said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions,” the spokesperson of Verizon said.
Yahoo also faced perusal for its security practices in October. This happened when Reuters published a report stating that company had scanned all the user accounts in 2015 under instructions from U.S. intelligence agency.