SAN FRANCISCO — Yahoo late Wednesday disclosed a breach that took place in August 2013 that may have resulted in the theft of data associated with more than one billion user accounts.
This new, 1-billion-account breach is separate from a 500-million-account breach the company disclosed in September of this. At the time, the 500-million-account breach, which took place in 2014, was believed to be the largest on record. Yahoo (YHOO)shares fell 2.5% after hours.
The new revelation comes at a time when cybercrime issues loom large as never before.
The CIA has accused Russia of specifically attempting to tamper with the U.S. election via hacked emails, ransomware hit the nation's seventh largest transit system, in San Francisco and a monster botnet of hijacked devices took down much of the East Coast's Internet traffic for a day in October.
“We truly are under major siege and we’re unprepared for it. It really is a national emergency,” said Avivah Litan vice president at Gartner Research. “We need a national response plan for this.”
Whether the attacker in this instance was state-sponsored or merely economically motivated, the danger is very real, said Steve Grobman, chief technology officer at Intel Security.
“We're increasingly seeing data being used as a weapon, where leaked or fabricated information is being used to intentionally damage individuals and governments,” he said. “As is the case in any cyber-attack, the incentive is there, the reputation threat is real, and intelligence services have 1 billion reasons to try.”
Yahoo said in September that it had evidence linking the 500-million-account breach to a state-sponsored actor.
It does not know who is behind the 1-billion-account breach announced Wednesday and it does not appear the two are linked.
In a statement on its website, the company said, "We believe that the August 2013 incident is likely distinct from the incident we disclosed on September 22, 2016."
There is some overlap between the affected accounts, but Yahoo is not disclosing how much.
Verizon announced a deal to acquire Yahoo on July 25 and work on the takeover has been ongoing since then.
"As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions,” it said in a statement to USA TODAY.
The revelation could absolutely derail the Verizon acquisition, said Jacob Olcott, former legal advisor to the Senate Commerce Committee and now vice president at the security firm BitSight.
Verizon was buying Yahoo in part to get customer accounts.
“Now Verizon will be trying to figure out what the customer loss will be based on this information that’s being released now and how it affects their valuation,” he said. In addition, Verizon will need to factor in how much it will cost for them to bring Yahoo up to their security standards, he said.
Yahoo disclosed in November that a law enforcement officials had given it data files showing what appeared to be evidence that an unknown third party had access to Yahoo user data.
Yahoo brought in outside forensic experts and confirmed that the data was in fact from Yahoo users.
As part of that analysis, Yahoo now says it believes the attacker “stole data associated with more than one billion user accounts,” the company said in a release.
Yahoo does not know who was behind the theft.
The company has pinpointed the date when the attackers were able to remove user information from the system as August 2013, but it does not know when they gained entry to its network or how long they were there.
The fact that the breach went unnoticed for so long isn’t surprising, said Arun Vishwanath, a security expert at the University at Buffalo.
“The sobering facts are that almost all such hacks are only accidentally discovered and that hackers usually stay in the system undetected for at least a year if not more. Yahoo's case is not so unique. Only its scale is troubling,” he said.
The stolen account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, the company said.
The stolen information did not include payment card data, or bank account information, Yahoo said.
Yahoo is working to notify affected users, and is working closely with law enforcement to investigate the breach.
Some in the security community said Yahoo had not been as concerned with security as it might have been.
“In our interactions with Yahoo over the years, there has been a consistent lack of interest in security as well as a palpable arrogance in their ability to manage their security without any help from the outside. As we said in our last interaction, ‘thank you for the meeting and the best of luck doing everything yourself,’” said Philip Lieberman, president of Los Angeles-based Lieberman Software.