Thursday, March 28, 2024 | Ramadan 17, 1445 H
broken clouds
weather
OMAN
23°C / 23°C
EDITOR IN CHIEF- ABDULLAH BIN SALIM AL SHUEILI

Yahoo reveals new hack, this time a billion-plus users

868877
868877
minus
plus

Washington: Yahoo said personal data from over a billion users was stolen in a hack dating back to 2013 — twice as big as another breach disclosed just three months ago.


In a huge blow to the struggling Internet pioneer, Yahoo said it made the discovery as it was investigating what was already the largest data breach of a single company.


“Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” it said in a statement.


Yahoo said this case “is likely distinct from the incident the company disclosed on September 22, 2016” affecting 500 million users.


The news poses a fresh threat to Yahoo’s deal to sell its core operating assets to Verizon for $4.8 billion.


In November, Yahoo disclosed that as part of its investigation into the prior breach, it had received data files from law enforcement “that a third party claimed was Yahoo user data.”


Using outside forensic experts, Yahoo now confirms that this was indeed user data but added that it “has not been able to identify the intrusion associated with this theft.”


The statement added that “Yahoo has taken steps to secure user accounts and is working closely with law enforcement.”


Yahoo’s chief security officer Bob Lord said in a blog post that some of the intrusions were done by hackers who accessed accounts without a password by using “forged cookies,” or data files which verify a device or user.


“We believe an unauthorized third party accessed our proprietary code to learn how to forge cookies,” he said, adding that “we have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22.”


Yahoo also said it was requiring affected users to change their passwords, and had invalidated unencrypted security questions and answers.


Yahoo said in September it believed the breach of information on 500 million users was “state sponsored” but some analysts have questioned this theory.


The stolen user account information in the newly disclosed breach may have included names, email addresses, telephone numbers, dates of birth, “hashed” passwords and, in some cases, encrypted or unencrypted security questions and answers, Yahoo said.


The hackers did not obtain passwords in clear text, payment card data, or bank account information, it said.


The latest breach discovery is a further embarrassment to a company that was one of the biggest names of the internet but which has failed to keep up with rising stars such as Google and Facebook.


Steve Grobman, Chief Technical Officer at Intel Security, said the two incidents show “there were clear weaknesses in the architecture” used by Yahoo but that such hacks are not just about technology.


Large organisations holding vast amounts of user data, Grobman said, “need to rely not just on technology but use independent or internal resources to defend against attack scenarios.”


Grobman said Yahoo can recover from the debacle but that “it needs to be transparent and show that it will emerge with the best security.”


Patrick Moorhead, analyst at Moor Insights & Strategy, said it is possible the disclosure will kill the tie-up with Verizon. — AFP


SHARE ARTICLE
arrow up
home icon