Biggest data breach ever reported hits 1 billion Yahoo accounts


For the second time this year, Yahoo has recorded the largest ever security breach.  This time a reported 1 billion user accounts have been impacted. The data breach again poses further problems for Yahoo CEO Marissa Mayer as she tries to close the $4.8bn sale to Verizon Communication. With the deal not set to close until early 2017, and this being the second record-breaking data leak Yahoo has reported, Verizon still has plenty of time to negotiate price or decide whether the takeover is worth it. But what does the newest biggest ever data leak made public mean for you?

“We have not been able to identify the intrusion associated with this theft,” wrote Bob Lord, Yahoo’s chief information security officer, in a public post announcing the latest breach. “Payment card data and bank account information are not stored in the system the company believes was affected,” he said.

The company is requesting that customers who were affected to change their passwords.

Lord also highlighted a cookies issue that could allow an intruder to access users’ accounts without passwords.

“Based on the ongoing investigation, we believe an unauthorised third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies,” Lord said.

“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”

Today’s reports add to Yahoo’s long string of security problems. Yahoo employees reportedly knew of the intrusion that led to the theft of data from 500 million users as early as 2014, but the company did not announce the breach until this September. With so many security issues surfacing, it is highly likely further breaches will be reported in the near future.

User data that may have been stolen includes names, email addresses, telephone numbers, dates of birth and encrypted and unencrypted security questions and answers, among other details. The investigation so far suggests hackers did not obtain credit card or bank account information.

Note: This is a separate hack to the one reported in September 2016. If you are unsure whether or not your account has been compromised, change your password.

The full press release from Yahoo contains important information for users and can be read here (English).

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Protect your account

Have a nice (malware-free) day!

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next