Yahoo is reporting a massive data breach that disclosed personal details associated with more than 1 Billion user accounts in August 2013.
Today’s disclosure comes less than three months after Yahoo admitted state-sponsored hackers hacked in 2014 with data from 500 million accounts. it’s separate from the that disclosed.
Yahoo chief information officer Bob Lord said in a statement that the two incidents are separate from each other, but some of the activity has been connected to the same state actor Yahoo said was responsible for the 2014 intrusion.
We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016, Lord said in his statement.
According to his statement, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.
What can users do to protect their account?
If you are one of those potentially affected users, you are strongly recommended to change your passwords and invalidate affected security questions.
Also, if you are using the same password and answers for security questions somewhere else, change them too.
Review all of your accounts for suspicious activity;
Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
Avoid clicking on links or downloading attachments from suspicious emails and consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.
Yahoo are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. They have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.