On 15 December 2016, Yahoo disclosed a discovery that more than a billion user accounts had been compromised, and shared details of an investigation:
Yahoo on Wednesday said it had discovered a new data breach of more than a billion accounts, dwarfing the hack it revealed three months ago and threatening the company’s $4.8 billion sale to Verizon … The fresh disclosure gives Yahoo the unfortunate distinction of being the victim of the two largest hacks in history. Verizon expressed reservations about the impending sale — scheduled to close early next year — after the first hack came to light.
Yahoo on Wednesday issued a statement saying personal information from more than a billion user accounts was stolen in 2013. The news followed the company’s announcement in September that hackers had stolen personal data from at least half a billion accounts in 2014. Yahoo said it believes the two thefts were separate.
Yahoo said it had “not been able to identify the intrusion” that enabled the 2013 theft but did not say when it learned of the theft. Yahoo blamed an unspecified state-sponsored actor for the 2014 hack … The information Yahoo said was stolen in August 2013 matches the types taken in 2014, and may have included users’ names, email addresses, phone numbers, dates of birth, scrambled passwords and security questions and answers, Yahoo said.
The breach occurred in August 2013, although initial reports indicated that Yahoo only recently learned of the attack. Additional details, such as exactly when and under what circumstances the breach was discovered were not immediately available.
Information about the data hack noted that it was the largest in history, rivaled only by a separate Yahoo breach (thought to be unrelated) disclosed by the company in September 2015:
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.
But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled by a cryptographic technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.
Multiple reports speculated that the second breach further threatened a multi-billion dollar deal with telecommunications giant Verizon:
The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago . That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
“It’s shocking,” security expert Avivah Litan of Gartner Inc.
Both lapses occurred during the reign of Yahoo CEO Marissa Mayer, a once-lauded leader who found herself unable to turn around the company in the four years since her arrival. Earlier this year, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion — a deal that may now be imperiled by the hacking revelations.
In the aftermath of Yahoo’s announcement, security experts across the board warned of potential problems associated with the use of a “life password,” a common habit in which people employ identical passwords across networks. If those passwords were exposed, accounts not associated with Yahoo could also be compromised alongside common usernames or other typical login information.
A Verizon executive said that the company would review all available information before reaching any final conclusions.