Earlier this year Yahoo announced 500 million accounts had been affected by a data breach that originated in 2014.
It was discovered and then revealed last night that in a separate hack that occurred a year earlier, in 2013, one billion accounts have been breached.
Yahoo said it “believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts”.
The breach “is likely distinct from the incident the company disclosed on September 22, 2016”.
The hack was uncovered as part of this initial investigation.
Cyber security expert Troy Hunt told the BBC: “This would be far and away the largest data breach we’ve ever seen.”
>See also: Yahoo data leak: the biggest on record
“In fact, the 500 million they reported a few months ago would have been, and to see that number now double is unprecedented.”
One billion accounts worth of personal information, including emails, names, phone numbers, passwords and security questions. It is an absurdly high figure that makes “a potent package for identity theft”, according to Tyler Moffitt, senior threat research analyst at cyber security company Webroot.
Bob Lord, CISO of Yahoo, wrote in a message to Yahoo customers that ‘Following a recent investigation, we’ve identified data security issues concerning certain Yahoo user accounts. We’ve taken steps to secure those user accounts and we’re working closely with law enforcement.’
As part of precautions, Yahoo has advised users to change their passwords and security questions.
What is most worrying is two-fold. First, is how did this breach go undetected for so long? It proves that serious investment must be made in detection security technology.
Second, Yahoo is not sure how the breach occurred. This is not “uncommon” according to Paul Calatayud, CTO FireMon.
“Often the forensic data is there but being able to shift through the complexities and scale of a large technology base is a challenge.”
“For all of us, this breach is a reminder that your online identities are always at risk. There is a lot of talk about making sure you have strong passwords but when those passwords are exposed in a breach, there is a different issue that arises – what else can the hackers do with knowledge of your password?”
Will this affect Verizon’s $4.8 billion acquisition of Yahoo? Yes, probably is the answer.
The 500 million account breach sparked talks of a merger discount, but Verizon had said they would monitor the situation.
It is unclear how it will respond, and the telecoms giant may pull out of the deal all together. It seems Yahoo’s security protocols have been woeful or negligent to say the least: the largest data breach in history – twice!
“These accounts have been compromised for years and the sheer number of them means they have already been a large source of identity theft. No one should have faith in Yahoo at this point and this breach might very well affect the $4.8 billion Verizon deal,” said Moffitt.