Yahoo has said more than one billion user accounts may have been affected in a hacking attack dating back to 2013.
The internet giant said it appeared separate from a 2014 breach disclosed in September, when Yahoo revealed 500 million accounts had been accessed. Yahoo said names, phone numbers, passwords and email addresses were stolen, but not bank and payment data.
The company, which is being taken over by Verizon, said it was working closely with the police and authorities. Yahoo said it “believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts”.
The breach “is likely distinct from the incident the company disclosed on September 22, 2016”. However, the three-year-old hack was uncovered as part of continuing investigations by authorities and security experts into the 2014 breach, Yahoo said. Account users were urged to change their passwords and security questions. The California-based company has more than a billion monthly active users, although many people have multiple accounts. There are also many accounts that are little used or dormant.
Cyber security expert Troy Hunt told the BBC: “This would be far and away the largest data breach we’ve ever seen. In fact, the 500 million they reported a few months ago would have been, and to see that number now double is unprecedented.” Yahoo said some of the breach could be linked to state-sponsored activity, as with the previous attack.
Prof Peter Sommer, a specialist in digital forensics at Birmingham City University, said he could be persuaded it was a state-sponsored hack, “but at the moment I’m not”. In September, when Yahoo disclosed the 2014 data breach, the company said information had been “stolen by what we believe is a state-sponsored actor”, but it did not say which country it held responsible.