Yahoo has experienced the biggest data breach in history, with up to one billion user accounts thought to have been affected by a historic security incident.
The tech giant revealed yesterday (December 14th) on Tumblr that this unprecedented data breach is believed to have taken place in August 2013.
Further, this particular compromise is thought to be unrelated to 2014’s data breach, which Yahoo revealed at the end of September. Approximately 500 million user accounts were affected here.
Bob Lord, chief information security officer at Yahoo, said that information including names, email addresses, telephone numbers, dates of birth and hashed passwords were stolen.
Additionally, in some cases, encrypted or unencrypted security questions and answers were also accessed by the perpetrator(s) behind the colossal data breach.
Presently, he continued, “the company believes” that bank account and payment data has not been accessed, as this information is not stored on its system.
Lord added that this incident came to light as part of its investigation into 2014’s data breach, which has now been overshadowed by this latest revelation.
“Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies,” the expert went on to say.
“The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.
“We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for [2014’s] data theft.”
The tech giant, which is in the process of being acquired by Verizon, has advised its users to do the following:
- Change passwords on your Yahoo account, as well as other accounts where you have used the same/similar details
- As above, update security answers and questions on your Yahoo account, as well as other accounts
- Be on the lookout for suspicious activity on all your accounts
- Be wary of unsolicited communications across multiple channels, including, email, phone, social media and the web
- Do not click on links or download attachments from emails that seem fraudulent
Please also check out ESET security specialist Mark James' insightful piece into the data breach, which also includes informative security advice.