SAN JOSE, Calif. (CN) – Yahoo suffered another massive data breach, with the private information of more than a billion of the company’s customers potentially compromised.
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than 1 billion user accounts,” Bob Lord, the company’s chief information security officer, said in a prepared statement Wednesday. “We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
The latest breach means a large swath of the technology giant’s customers have had their emails, passwords, dates of birth, encrypted and de-encrypted security questions, telephone numbers and names made vulnerable by an unknown third party.
“The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information,” Lord said. “Payment card data and bank account information are not stored in the system the company believes was affected.”
Yahoo said the incident is distinct from the data breach the company announced in September, which was previously the largest data breach in history until Wednesday’s announcement supplanted it.
As with the previous breach, Yahoo attributed the hack to a “state-sponsored actor” but declined to name which state.
Various experts have identified Russia and China as the two chief suspects. But many in the technology world have expressed skepticism that either is responsible, saying Yahoo is saved from embarrassment by attributing the breaches to nations with vast resources and questionable agendas.
Russia’s hacking activity has been the subject of several news articles in recent weeks, as The New York Times detailed the mounting evidence that points to Russia as responsible for the two separate hacks of the Democratic National Committee and Hillary Clinton’s campaign chairman John Podesta.
Yahoo’s latest breach has cast doubts about the survival of its $4.8 billion merger deal with Verizon. The deal was struck before either breach was disclosed, and Verizon executives have insinuated publicly that the first data breach diminishes the value of the company.
Yahoo refutes such notions.
“We are confident in Yahoo’s value and we continue to work toward integration with Verizon,” a company spokesman said Wednesday evening.
In the latest breach, the perpetrator(s) accessed the company’s code and used it to forge cookies that allowed them to access the site, the company said.
“The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used,” Lord said. “We are notifying the affected account holders, and have invalidated the forged cookies.”
Yahoo users are encouraged to change all their passwords and also change similar passwords used for other websites and to monitor their different accounts for suspicious activity.
Today’s announcement will likely add to Yahoo’s legal woes.
The New York Times reported in early November that 29 separate lawsuits have been filed against Yahoo, with claims almost universally centering on whether the company acted sufficiently to protect its clients’ personal data.
“Yahoo was so grossly negligent in securing its users’ personal information that it says that it did not even discover the incident until the summer of 2016,” plaintiff Ronald Schwartz said in a lawsuit filed in federal court in San Jose.
A similar suit filed in San Diego said the data breach represented an intrusion into personal financial information.
The FBI has confirmed it is investigating the hack.