Yahoo has just announced another massive hack that may have affected 1 billion users, equivalent to almost its entire user base, informs a security notice emailed to users.
Last month, law enforcement alerted the company to data that allegedly belonged to Yahoo users. Following an investigation, it was confirmed that the data was indeed part of the Yahoo database, stolen in August 2013.
So far, the company hasn’t identified the culprits or their attack method and believes this breach is separate from the one confirmed on Sept. 22, 2016 that affected some 500 million accounts in 2014. The attackers forged cookies to access accounts without a password, but these have been invalidated. Unencrypted security questions and their answers have been disabled so hackers cannot access accounts. All users who may have been affected are asked to change their passwords.
“The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo’s Chief Information Security Officer, Bob Lord wrote in his email to all account holders. “Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.”
Yahoo assures users of its efforts to protect the system and to prevent unauthorized access. In the meantime, account holders should immediately change their passwords, security questions and answers for Yahoo as well as for other accounts that reuse the info, double check for suspicious activity, don’t respond to suspicious emails asking for personal information and do not click on links or downloads attachments from unknown sources.