Yahoo, still reeling from a hack that impacted more than 500 million accounts earlier this year, on Wednesday revealed another one billion accounts were compromised in a separate attack dating back to 2013.
According to the company, the latest intrusion revealed user account information that might include names, email addresses, phone numbers, dates of birth, passwords hashed using the MD5 protocol and encrypted or unencrypted security questions and answers. Yahoo does not believe password information was disclosed in clear text, nor did payment card data or bank account information leak as part of the breach.
By comparison, Yahoo’s 2014 hack, which involved some 500 million accounts, reportedly revealed names, email addresses, telephone numbers, dates of birth, passwords and security questions. At the time, the company blamed the attack on a state-sponsored actor.
While the attack is distinct from the breach disclosed in September, Yahoo is blaming at least part of the activity on the same state-sponsored agent or agents.
Thought to have been carried out in 2013, the attack was only recently uncovered by Yahoo’s security team. In November, law enforcement officials furnished the company with data files a third party claimed was gleaned from user accounts. Analysis of the data narrowed down a probable attack window to August 2013.
“We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016,” the company said in an email sent out to affected users.
Detailing how hackers managed to break in to more than one billion accounts, Yahoo CISO Bob Lord said his team believes an unauthorized third party likely accessed Yahoo’s code in 2013 and discovered a way to forge cookies. Armed with a cookie creation tool, intruders would be able to access accounts without a password.
Yahoo is in the process of notifying users it believes was impacted by the breach and is requiring those affected to change their passwords. The company also invalidated unencrypted security questions and answers in a bid to stave off follow-up attacks.