Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, disclosed Wednesday that more than one billion user accounts may have been affected in a hacking attack dating back to 2013.
Yahoo said sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password were stolen, but not bank and payment data.
The two attacks are the largest known security breaches of one company’s computer network.
The company, which is being taken over by Verizon, said it was working closely with the police and authorities.
Yahoo said in a statement that it "believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts."
The breach "is likely distinct from the incident the company disclosed on September 22, 2016".
However, the three-year-old hack was uncovered as part of continuing investigations by authorities and security experts into the 2014 breach, Yahoo said.
Yahoo said it is forcing all of the affected users to change their passwords and it is invalidating unencrypted security questions — steps that it declined to take in September.
Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.
Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code. Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims. The company has not disclosed who it believes was behind the attack.
Yahoo's valuation hit $125bn during the dot-com boom, but it has been losing ground since then despite several attempts to revive its fortunes.