NEW YORK — Yahoo says it believes hackers stole data from more than one billion user accounts in August 2013.
The Sunnyvale, California, company says it's a different breach from the one it disclosed in September, when it said 500 million accounts were exposed. That new hack revelation raises questions about whether Verizon will try to change the terms of its $4.8 billion proposed acquisition of Yahoo.
Yahoo says the information stolen may include names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.
In a statement, CISO Bob Lord said
we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.
Yahoo users should take the following steps to protect their accounts, the company said:
- Change passwords and security questions
- Review all accounts for suspicious activity
- Avoid clicking on links or downloading attachments from suspicious emails
- Check out other tips on their website
This is a developing story. Check back for more details.