Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.
“We believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” he said.
Speaking to Computer Weekly, Jonathan Care, a research director at market watcher Gartner, said Yahoo’s lack of clarity on this point was troubling.
“The implication is that Yahoo has overly focused on deploying protective technologies, and has not put in place effective analytics, detection and response systems and processes,” he said.
“From what we do know, the attackers made use of cookie masquerading, pass-the-hash and a state-sponsored actor. This gives strength to the importance of a strong detection plan.”
The incident came to light after US law enforcers shared files with the company that a third-party claimed contained Yahoo user data.
“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” said Lord.
Yahoo admits that staff knew about the data breach two years before it was confirmed publicly, and that the incident could affect the $4.83bn sale deal with Verizon.
“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords,” he said. “We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”
Which suggests that many personal questions have been hacked as well.
This latest breach comes several months after Yahoo revealed details of another historic attack on its systems, dating back to 2014, which led to the personal details of at least 500 million users becoming exposed.
At the time, the incident was reported to be the largest publicly reported breach of its kind, but the August 2013 one is understood to be considerably bigger.
After news of the 2014 hack broke, Yahoo confirmed some staff knew about it several years before details were publicly disclosed, and acknowledged that it could lead to Verizon withdrawing its $4.83bn bid to acquire the company.
In light of its latest disclosure, questions are now being raised about how the news may affect the deal, given Verizon went on record in October 2016 to say the previous breach could pave the way for it to drop its bid.
“It also emphasises the importance of purchasers understanding the security risks of target businesses and building in contractual mechanisms to adjust the price, or even allow them to walk away from the deal if breaches like these come to light before completion.”
“Clearly, the upshot of this is that we need to realise that it’s no longer a case of ‘if we’re targeted or unlucky’, but that we are all targets.”