Yahoo's CISO, Bob Lord, has announced on the company's blog that the accounts of more than one billion users may have been accessed in a cyber-attack dating back to 2013, separate from the previously reported 2014 hack which affected 500 million accounts.
Lord claimed that the incident was “distinct” from the cyber-attack it had already disclosed which affected 500 million users. That hack took place in 2014 but was only made public in September.
Alluding to who may be behind such an attack, Lord said: “We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” referring to the 2014 breach.
The firm said that the unauthorised third party had stolen the data, including names, emails, phone numbers, dates of birth and passwords encrypted in MD5. And added, “payment card data and bank account information are not stored in the system the company believes was affected.”
The company said, “based on the ongoing investigation, we believe an unauthorised third party accessed our proprietary code to learn how to forge cookies,” and added, “we are notifying the affected account holders, and have invalidated the forged cookies.”
This new breach raises questions about Verizon's $4.8n acquisition of Yahoo, and whether the US mobile carrier will try to get a better a deal or drop it.
When Yahoo disclosed the 2014 breach in a report to the US Securities and Exchange Commission, the Financial Times newspaper said that Verizon was not currently commenting on Wednesday's filing, however, it has previously said it wants to know whether the attack will have a material impact on Yahoo.
Back in mid-October, Verizon's general counsel Craig Silliman confirmed the company had a “reasonable basis” to believe that it has.
Meanwhile, the backlash against both hacks is well under way, with threats of legal action and EU privacy regulators questioning Yahoo CEO Marissa Mayer seeking answers on the effect of the breach the company experienced, according to telecompaper.
Yahoo has advised that users should update their passwords and security questions.
Kevin Cunningham, president and founder at SailPoint, told SC Media UK: “What this latest breach disclosure by Yahoo underscores is an interesting trend where hackers are breaching user accounts, not necessarily to infiltrate corporate networks and applications, but to grab highly sensitive data hiding in email and other unstructured file stores. Think about all of the highly sensitive files that could be lurking in these breached Yahoo email accounts: incredibly sensitive tax or financial statements, personal healthcare data, even banking or credit card information."
Cunningham added: “And that's what hackers are after today: sensitive data that is ripe for the taking. With analysts estimating that unstructured data comprises 80 percent of all enterprise data today, this is an incredibly big challenge for companies today who lack proper visibility into the data stored there. Not only do companies struggle to understand what data even lives in these unstructured data stores, but because hackers often steal copies, it's sometimes impossible to know what data was even taken. And, even if you identify and stop an attack, the data is still in the hands of the bad guys."