Yahoo Inc. revealed new security issues affecting more than a billion users’ data, a theft that is separate and twice as large as the hack it disclosed earlier this year.
On Wednesday, Yahoo said an unauthorized third party stole data associated with more than one billion user accounts in August 2013. In September, Yahoo blamed “state-sponsored” hackers for stealing data on 500 million user accounts, which at the time was the largest theft of personal user data ever disclosed.
Yahoo has agreed to sell its core business to Verizon Communications Inc. On Wednesday, Verizon said it would review the impact of the new breach. Verizon learned of the latest breach in the past few weeks, a person familiar with the matter said. The company still has all options on the table, including renegotiating the deal’s price or walking away, the person said.
Yahoo said it has taken steps to secure user accounts and is working closely with law enforcement.
In November, Yahoo disclosed law enforcement gave the company data files that a third party claimed was Yahoo user data. On Wednesday, the company confirmed it appears to be Yahoo user data.
Yahoo said it hasn’t identified the intrusion associated with the theft but believes it is likely distinct from the incident the company disclosed in September.
The stolen data in both cases may have included names, email addresses, dates of birth, telephone numbers, encrypted passwords and unencrypted security questions and answers, Yahoo said.
The company urged users to review all of their online accounts and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account. It also recommended users avoid clicking links or downloading attachments from suspicious emails and remain cautious of unsolicited communication asking for personal information.
Separately, Yahoo, which had previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password, said Wednesday it believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies. Yahoo is notifying affected account holders, and has invalidated the forged cookies.
Yahoo said it has connected some of the activity disclosed Wednesday to the same state-sponsored actor believed to be responsible for the data theft disclosed in September.
Shares in the company lost 2.4% after hours to $39.92.