If you have a Yahoo! login, it’s time to go change your password again. The company says personal information for more than a billion users was stolen, including names and passwords. The security breach happened in August 2013, and is likely the largest ever.
According to Yahoo!, hackers made off with names, birth dates, phone numbers, email addresses, security questions, and encrypted passwords. Those passwords were encrypted, but that’s little consolation considering Yahoo! has using the relatively easy to crack MD5 algorithm.
Yahoo! CISO Bob Lord said they discovered the breach when law enforcement came to the company with what appeared to be stolen user data. “Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” he said.
This follows Yahoo!’s September announcement of a data breach where data from 500 million users was compromised. And as if that isn’t enough egg on Yahoo!’s face, the company said it’s also investigating an incident where security cookies were forged.
“Our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password,” Mr. Lord said. “Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies.”
Forging those cookies could let hackers access Yahoo! user accounts without needing a password by tricking the servers into thinking they’re already logged in. Yahoo! invalidated the forged cookies to help prevent user account hacks.
Mr. Lord said Yahoo! is notifying users who may have been affected by the data breaches, and is requiring users to change their passwords.
Verizon is in the process of buying Yahoo! and is no doubt watching the situation closely. It doesn’t look like the data breaches have killed the deal, but it certainly can’t be helping.