15th Dec 2016
Image copyright Reuters
Yahoo has said more than one billion user accounts may have been affected in a hacking attack dating back to 2013.
The internet giant said it appeared separate from a 2014 breach disclosed in September, when Yahoo revealed 500 million accounts had been accessed.
Yahoo said names, phone numbers, passwords and email addresses were stolen, but not bank and payment data.
The company, which is being taken over by Verizon, said it was working closely with the police and authorities.
Yahoo said it “believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts”.
The breach “is likely distinct from the incident the company disclosed on September 22, 2016”.
However, the three-year-old hack was uncovered as part of continuing investigations by authorities and security experts into the 2014 breach, Yahoo said.
Account users were urged to change their passwords and security questions.
The California-based company has more than a billion monthly active users, although many people have multiple accounts. There are also many accounts that are little used or dormant.
Cyber security expert Troy Hunt told the BBC: “This would be far and away the largest data breach we’ve ever seen. In fact, the 500 million they reported a few months ago would have been, and to see that number now double is unprecedented.”
Yahoo said some of the breach could be linked to state-sponsored activity, as with the previous attack.
Prof Peter Sommer, a specialist in digital forensics at Birmingham City University, told the BBC he could be persuaded it was a state-sponsored hack, “but at the moment I’m not”.
“What on earth is a state going to do with one billion accounts of ordinary users? That’s the difficulty I have,” he said.
In September, when Yahoo disclosed the 2014 data breach, the company said information had been “stolen by what we believe is a state-sponsored actor”, but it did not say which country it held responsible.
The latest disclosure raises fresh questions about Verizon’s $4.8bn proposed acquisition of Yahoo, and whether the US mobile carrier will try to modify or abandon its bid.
‘Pattern of serious failures’
If the hacks cause a user backlash against Yahoo, the company’s services would not be as valuable to Verizon.
Verizon said that it would evaluate the situation as Yahoo investigates and would review the “new development before reaching any final conclusions”.
Mr Hunt said that Verizon allegedly cut its valuation of Yahoo by $1bn – almost 20% of the original bid’s value – after the news emerged of the 2014 attack.
The latest revelations “will surely impact that valuation even further, not just because of the scale of it, but because it shows a pattern of serious failures on Yahoo’s behalf”, he said.
It is a further embarrassment to a company that was once one of the biggest names of the internet but which has failed to keep up with rising stars such as Google and Facebook.
Yahoo was once deemed to be worth $125bn during the dotcom boom. Various attempts to revive its fortunes have failed to stem its decline.
Analysis: Dave Lee, North America technology reporter
Good grief, can things get any worse for Yahoo? A complete disaster. Embarrassing. Negligent?
We’ve come to accept that even the best systems get attacked by cyber criminals. But repeatedly? And in such great numbers? Something was seriously, seriously wrong.
Looking to the future, this is yet more concern for Verizon, which agreed to buy Yahoo before all of these disasters were made public.
It wanted the company because of its huge user-base and advertising reach. How many of those users are going to stick around when this kind of thing is going on? What’s in it for them?
There’s talk of a discount on the $4.8bn Verizon agreed to pay out. It’s a game of how-low-can-you-go in the new year, you’d think.