Internet company Yahoo says more than 1 billion users’ accounts were compromised in a 2013 hack.
In September the company confirmed 500 million users’ details were stolen in 2014 – reported widely as the biggest data breach in history.
But Yahoo’s latest announcement is about an entirely different breach, this one in August 2013 and twice as large. It says names, email addresses, telephone numbers, dates of birth and encrypted passwords have been taken.
Passwords are believed to be safe, but answers to users’ security questions aren’t. Bank account information is also believed to be safe.
“Law enforcement provided us with data files that a third party claimed was Yahoo user data,” the company said in a statement.
“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorised third party, in August 2013, stole data associated with more than 1 billion user accounts.”
Yahoo says it believes hackers figured out how to forge ‘cookies’ – little pieces of data which let people access their accounts from the same device, without having to sign in every time.
“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords,” says Yahoo.
“We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
“With respect to the cookie forging activity, we invalidated the forged cookies and hardened our systems to secure them against similar attacks.”
Yahoo says the two record breaches are likely to have been carried out by the same “state-sponsored actor”.
Yahoo has suffered a number of security breaches in recent years.