Yahoo announced the attack today. It said that forensic experts found cybercriminals stole data associated with “more than one billion” user accounts in August 2013. The company confirmed the breach is “likely distinct” from the one it reported in September 2016. That attack took place during 2014 and affected around 500 million users.
Yahoo has managed to set the record for the world’s largest data breach twice in a single year. The scale of the new attack is unprecedented and a lot of unknowns remain around its nature. Yahoo said it believes a “state-sponsored” actor is responsible for at least part of the data theft. The perpetrator may be linked to the later attack in 2014.
State-sponsored campaigns are usually identifiable by their unique nature. They often rely on highly sophisticated malware, although this is not always the case. Yahoo said it has not yet identified the intrusion linked to the theft.
In a separate incident disclosed today, Yahoo said it had found evidence of an attack on its systems that let criminals login without a password. The company said the outsiders accessed its proprietary code and worked out how to forge cookies, giving them access to its servers.
Cookies are small pieces of data sent to a web server when a device makes a request. When you login to the website, a cookie is issued to your computer. Next time you visit one of Yahoo’s services, the computer sends the cookie along with the request. The server uses the information within to verify your identity.
Cookies are protected by a special signature that only the server knows. This prevents them being forged. The attackers managed to work out how to create cookies that pass the server’s safeguards, giving them authenticated access to Yahoo’s data.
Yahoo said it has invalidated all the forged cookies and “hardened” its systems to protect against future attacks. It hasn’t disclosed exactly what has changed. The company has previously attracted criticism for failing to offer the same level of protection as its rivals.
Yahoo said it will be contacting all one billion potentially affected users. Password changes will be mandated and security questions reset. Customers should also change their password on other online services to ensure it’s not the same as the hacked Yahoo one. It’s believed the attackers obtained names, phone numbers, dates of birth and other sensitive information.
Even people who do not knowingly hold a Yahoo account could be involved in the breach. The company owns services including Flickr and Tumblr, although it has said the latter isn’t affected. Yahoo also provides email to a number of Internet service providers. The U.K.’s BT said it is “urgently” contacting Yahoo for more information on the breach.
The record-breaking attack is likely to have consequences on Verizon’s deal to buy Yahoo. In July, Verizon agreed to spend $4.83 billion on the troubled tech pioneer. In October, Verizon lawyer Craig Silliman acknowledged there’s “reasonable basis” to assume the first reported data breach will have “material” impact on the sale price.
Verizon is thought to be seeking a $1 billion discount on Yahoo as a consequence of the breach. With another attack twice as large as the first now disclosed, it’s looking increasingly likely that Verizon will be looking for a substantial reduction in price.
“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” a Verizon spokesperson said to TechCrunch. “We will review the impact of this new development before reaching any final conclusions.”
