In a series of developments on corporate cyber attacks, Yahoo has disclosed that more than one billion of its user accounts may have been affected by a hacking attack that dates back to 2013.The electronic mail giant said it appeared separate from a 2014 breach disclosed in September when Yahoo revealed 500 million accounts had been accessed. Yahoo claims that only names, phone numbers, passwords and email addresses were stolen, but not bank or payment data. The company, set to be taken over by Verizon, said it was working closely with the police and other security authorities. Yahoo said it "believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts". It further asserted the breach "is likely distinct from the incident the company disclosed on September 22, 2016". However, the three-year-old hack was uncovered as part of continuing investigations by authorities and security experts into the 2014 breach, the Internet giant said. Account users were advised to change their passwords and security questions.
The California-based company has more than a billion monthly active users, many of which have multiple accounts. There is also a host of inactive or dormant account.
Cyber security expert Troy Hunt told a reporter: "This would be far and away the largest data breach we've ever seen. In fact, the 500 million they reported a few months ago would have been, and to see that number now double is unprecedented." The company further claims that some of the breaches could be linked to state-sponsored activity, as with the previous attack.
Prof Peter Sommer, a specialist in digital forensics at Birmingham City University, speaking to a reporter said he could be persuaded it was a state-sponsored hack, "but at the moment I'm not". He expressed his doubts by saying "What on earth is a state going to do with one billion accounts of ordinary users? That's the difficulty I have". In September, when Yahoo disclosed the 2014 data breach, the company said information had been "stolen by what we believe is a state-sponsored actor", but it did not say which country it held responsibly.
While this latest disclosure raises fresh questions about Verizon's $4.8bn proposed acquisition of Yahoo, and whether the US mobile carrier will try to modify or abandon its bid, it also reasserts the larger threats to national security of various nations posed by recurring individual, corporate or state-sponsored cyber attacks.