Yahoo hack hit more than a billion accounts

Yahoo warns that its systems were compromised in August 2013, looting the data of more than a billion accounts. This includes e-mail addresses, telephone numbers and passwords hashed with MD5.

Yahoo has not been able to determine how its systems entered, but believes the hack is unrelated to the incident the company revealed in September, which revealed the theft of 500 million account details.

The new notification is based on an analysis of a data set that Yahoo received from US authorities earlier this year. “Based on the analysis of the data by forensic experts, we believe that in August 2013, an unauthorized party stole data from more than one billion user accounts,” Yahoo reported.

Stolen data includes names, email addresses, phone numbers, dates of birth, and in some cases encrypted and unencrypted security questions and answers. In addition, the hashed passwords that were deemed unsafe with MD5 were also stolen. It was already clear in 2013 that MD5 was not safe. Clear text passwords have not come into the hands of the attackers and bank details are not part of the hack, Yahoo claims.

The company will warn all affected accounts and says it has tightened security. In addition, all users must change their passwords and set new security questions in order to recover their passwords.

At the same time as revealing the hack, Yahoo reports that while penetrating its systems, attackers have seen code that allowed them to forge cookies. This incident links Yahoo to the hack it announced in September. Forged cookies allowed attackers to gain access to accounts without having a password. There would be indications that the attack came from state hackers. It is not known whether this is also the case with the attack that has now been reported.