Dec. 15, 2016
Data breach numbers just keep getting bigger and more breathtaking.
Yahoo Inc. this week announced it has identified data security "issues" affecting more than one billion — yes, that's billion with a B — user accounts.
This intrusion is separate from one announced in September. That breach affected 500 million accounts, and is believed to have been a state-sponsored attack, according to Yahoo.
According to a company press release about the latest breach:
… Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on Sept. 22, 2016.
Data stolen in the attack included names, email addresses, telephone numbers, dates of birth, encrypted passwords and, in some cases, encrypted or unencrypted security questions and answers. Passwords in clear text, payment card data and bank account information are stored in a separate system that does not appear to have been compromised, the company said.
Yahoo is already working with outside forensic experts on another incident involving forged cookies that could allow an intruder to access user accounts without a password. Yahoo said that, apparently, "an unauthorized third party accessed the company's proprietary code to learn how to forge cookies."
According to the press release, the company has taken steps to protect user accounts affected by the data breach and to invalidate forged cookies and inform affected customers.