Yahoo has disclosed what it believes to be a second big hack, this one affecting more than 1 billion user accounts in 2013.
In a blog post Wednesday, Yahoo said it has not been able to identify the intrusion that allowed a third party to steal “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” On the plus side, Yahoo said it does not believe unprotected passwords, bank information or credit card numbers were compromised by the hack as that information is stored in a different system.
Yahoo said it has contacted affected users and made them change their passwords. Yahoo also invalidated unencrypted security questions that hackers could use to retrieve passwords after users changed them.
Yahoo officials said they believe the hack is “distinct” from the attack the company disclosed in September. Yahoo said at least half a billion of its user accounts were hacked in late 2014, probably by a state actor in that breach. The breach may have exposed users’ names, email addresses, phone numbers, birthdates, hashed passwords and encrypted or unencrypted security questions and answers, Yahoo said in a blog post. The breach did not include unprotected passwords, payment card data or bank account information, the company said.
The public disclosure of these hacks comes as Verizon is working out a deal to buy Yahoo for approximately $4.8 billion. Verizon didn’t know about the 2014 hack until after the merger agreement was signed, and reports indicate that Verizon may try to renegotiate the deal as a result.
Verizon hasn’t issued a statement or commented on the 2013 hack.