IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

2013 Yahoo Breach: Over 1 Billion Accounts Had Data Stolen

It is probably the largest such breach to have occurred in the U.S., according to the Privacy Rights Clearinghouse, which tracks data breaches.

(TNS) — Yahoo said Wednesday that information from more than 1 billion customer accounts was stolen by an unauthorized third party in August 2013, a separate hacking incident twice as large as the 2014 one disclosed earlier this year.

It is probably the largest such breach to have occurred in the U.S., according to the Privacy Rights Clearinghouse, which tracks data breaches.

The information may have included names, email addresses, phone numbers and birth dates, the company said. In addition, some encrypted or unencrypted security questions and answers, as well as jumbled-up passwords, were stolen. Yahoo does not believe credit card or bank account information was taken.

“We have not been able to identify the intrusion associated with this theft,” Bob Lord, Yahoo’s chief information security officer, said in a blog post.

“With Yahoo disclosing two major breaches in a relatively short period of time, it indicates there is something wrong with the way they secure personal data,” said Beth Givens, executive director of the Privacy Rights Clearinghouse.

Major U.S. data breaches

1. Yahoo, more than 1 billion accounts (2013)

2. Yahoo, at least 500 million accounts (2014)

3. FriendFinder Network, 412 million (2016)

4. MySpace, 360 million (2016)

Source: Privacy Rights Clearinghouse

The announcement will further complicate the intended sale of Yahoo to Verizon. The proposed $4.83 billion deal is already in jeopardy after Yahoo revealed in September, two months after the deal was announced, that information from at least 500 million of its accounts in late 2014 had been stolen. Verizon’s attorney has said that the 2014 breach may amount to what Wall Street regulators refer to as a material event — which could leave the door open for Verizon to renegotiate the deal.

Verizon said in a statement Wednesday that it will “evaluate the situation as Yahoo continues its investigation.”

“We will review the impact of this new development before reaching any final conclusions,” the statement said.

Yahoo did not disclose how many users have accounts with the company, but in the past it has said that more than 1 billion users access its properties, which include popular sites such as Yahoo Sports, News and Tumblr. It is possible that users could have more than a single account on the platform. Nonetheless, a billion is an enormous number.

“It’s really bad news if you’re somebody who has a Yahoo account,” said Jan Dawson, chief analyst with consulting firm Jackdaw, adding, “You would expect an online service company to do a better job of protecting your account data.”

Some accounts could have been affected by both mega-breaches.

In the latest disclosed breach, information taken from some of the accounts include unencrypted security questions and answers, which could leave users even more vulnerable to attacks. If the consumer were to use the same security answers on other websites, a hacker could simply use that information to change the consumer’s password, said Pam Dixon, executive director of the World Privacy Forum.

“If you are a hacker, the answer to your security questions are like gold,” Dixon said.

Yahoo has said that its 2014 breach of at least 500 million user accounts could have involved a state-sponsored actor, meaning someone acting on behalf of a nation. The company also disclosed on Wednesday that it believes an unauthorized third party also accessed “the company’s proprietary code to learn how to forge cookies,” and that some of those actions have been linked to the same state-sponsored actor in the 2014 data breach. Cookies are a tool that allows the website and a computer to save information, such as a user name, password or address, so it doesn’t need to be re-entered.

Yahoo said it is requiring its users affected by the 2013 breach to change their passwords. The company said it also invalidated unencrypted security questions and answers as well as the forged cookies.

"We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts," Lord said in his blog post.

More than 150,000 U.S. government and military employees are among the victims of the newly disclosed breach. They had given their official government accounts to Yahoo in case they were ever locked out of their e-mail, and it raises the possibility that foreign intelligence services could identify employees and hack their personal and work accounts.

The questions will mount for Verizon. The two companies had recently come “close to an agreement” on Yahoo’s liability on the 2014 breach when information on the 2013 breach emerged, according to the Wall Street Journal, citing unnamed sources.

“Given this is the second surprise for Verizon, I wouldn’t be surprised if Verizon just pulls out,” said Patrick Moorhead, president of Moor Insights and Strategy. “The risk is just so high at this point.”

If Verizon were to pull out, Moorhead believes other companies will still be willing to buy Yahoo, an Internet pioneer that has struggled to find relevance against strong competitors like Google. Earlier this year, as Yahoo had explored a sale, dozens of potential suitors emerged, according to the company.

Yahoo on Wednesday said it is moving forward with the Verizon deal.

“We are confident in Yahoo’s value and we continue to work towards integration with Verizon,” Yahoo said in statement.

It remains to be seen whether this data breach causes Yahoo users to flee. Some might, but since data breaches have become more common, this latest disclosure is unlikely to make a serious dent in Yahoo’s user base, said Travis Smith, senior security researcher for Tripwire, which makes security software.

“Since users are desensitized to data breaches, I don’t think there is going to be a mass exodus,” Smith said.

Yahoo stock declined slightly in after hours trading.

Bloomberg News contributed to this report.

©2016 the San Francisco Chronicle, Distributed by Tribune Content Agency, LLC.