Dive Brief:
- Yahoo revealed Wednesday the company suffered a separate data breach in August 2013, compromising the data of more than one billion user accounts.
- In November, law enforcement provided Yahoo with files a third-party claimed were its user data. Yahoo verified the data was authentic, but was unable to "identify the intrusion associated with this theft," said Bob Lord, CISO of Yahoo, in a blog post. Yahoo believes the incident is "distinct" from the data breach it disclosed in September, bringing the total number of breached accounts to as many as 1.5 billion.
- "Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies," Lord said. "The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies."
Dive Insight:
Yahoo said it has connected some of the malicious activity to what it believes was a state-sponsored actor responsible for the previously disclosed breach. To protect users, Yahoo said it was requiring password changes and "invalidated unencrypted security questions and answers so that they cannot be used to access an account," according to the post.
The scale of Yahoo's data breaches is enormous. It is standard practice for breaches with a few million targeted accounts to make headlines, but Yahoo is on another plane entirely. To put it in perspective, the hack at the Office of Personnel Management impacted 21.5 million people, and that was one of the biggest revealed hacks of 2015. Granted, that information was far more sensitive than that breached in the Yahoo hacks, but prevalence of password reuse means many Yahoo users could be negatively affected.
As it stands, Yahoo is in trouble. The company is in the midst of acquisition by Verizon, which reportedly was looking for a $1 billion discount. Legislators are also calling for SEC investigations into how the company handled the disclosure of the original hack revealed in September.