Another Yahoo Boo-Boo: 1 Billion User Accounts Stolen

As if the security news about Yahoo couldn't get any worse, the company disclosed today (Dec. 14) that data pertaining to up to 1 billion user accounts may have been stolen by an unknown party in August 2013.

Yahoo headquarters in Sunnyvale, California. Credit: Justin Sullivan/Getty Images

(Image credit: Yahoo headquarters in Sunnyvale, California. Credit: Justin Sullivan/Getty Images)

This massive breach, likely the largest on record, is not connected to the previous record-holder, a 2014 data breach that saw 500 million Yahoo accounts compromised by a separate band of intruders.

Today's announcement also disclosed that internal secret codes relating to user authorization cookies may have been stolen in 2015 or 2016, permitting an intruder — possibly the same as that in 2014 — to log into Yahoo accounts without a password.

If you're a Yahoo user, you may already be familiar with what to do: Change your Yahoo password to something strong and unique and enable two-factor authentication. And, um, consider closing out your Yahoo account.

MORE:  What to Do After a Data Breach

At this point, Yahoo is starting to look like the Democratic National Committee of online portals, with different hacker groups snooping around its files, unknown to each other or to the people who are supposed to be guarding the data.

The 1 billion stolen records in this latest breach included "names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," according to a Yahoo press release.

MD5 is an old password-protection method that the U.S. government in 2008 declared "cryptographically broken and unsuitable for further use." Any decent hacker with a powerful computer will be able to "crack" nearly all of those MD5-protected passwords. In late 2014, Yahoo changed its password-hashing algorithm to a much stronger one.

In a detailed help page related to today's announcements, Yahoo said that "potentially affected users" were being notified, and that it was requiring many of those users to change their passwords and cancelling security questions and answers. The company said it had also invalidated the forged authorization cookies connected to the second Yahoo data breach disclosed today.

Law-enforcement authorities came to Yahoo last month with stolen data that an undisclosed party claimed came from the company's databases, according to the help page. That led to the discovery of the 1 billion stolen accounts.

It's possible that the 2013 data came from the talkative hacker known as Peace, who this year told reporters about other massive breaches from 2013. Earlier this year, Peace's Yahoo samples were declared to be fake, but in the course of investigating those claims, Yahoo's team found the real 2014 data breach.

The forged authorization cookies were looked into by "outside forensic experts" working for an unnamed company, who linked to the "same state-sponsored actor" — possibly Russian or Chinese hackers — responsible for the 500 million compromised accounts from 2014. (That breach came to light only three months ago.)

None of these breaches are connected to the recent allegations that Yahoo spied on user emails at the behest of the U.S. government in 2015.

In July 2016, Yahoo reached an agreement to sell its core businesses to Verizon for $4.8 billion.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.