Yahoo Says Hackers Stole Data From More Than 1 Billion User Accounts
NEW YORK (CBSNewYork/AP) -- Yahoo has discovered a 3-year-old security breach that enabled a hacker to compromise more than 1 billion user accounts, breaking the company's own humiliating record for the biggest security breach in history.
The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago . That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
"It's shocking," security expert Avivah Litan of Gartner Inc.
Both lapses occurred during the reign of Yahoo CEO Marissa Mayer, a once-lauded leader who found herself unable to turn around the company in the four years since her arrival. Earlier this year, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion -- a deal that may now be imperiled by the hacking revelations.
Yahoo didn't say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn't been able to identify the source behind the 2013 intrusion.
Yahoo has more than a billion monthly active users, although some have multiple accounts and others have none at all. An unknown number of accounts were affected by both hacks.
Yahoo says the information stolen may include names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.
But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice -- once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.
Paul Oster -- founder of Better Qualified Credit Restoration -- says it's best to be proactive by regularly checking your credit reports and bank statements.
"Nobody can prevent these attacks at this point in time," he said. "As a consumer, one of the things you have to do is change your pins and passwords."
News of the additional hack further jeopardizes Yahoo's plans to fall into Verizon's arms. If the hacks cause a user backlash against Yahoo, the company's services wouldn't be as valuable to Verizon, raising the possibility that the sale price might be re-negotiated or the deal may be called off. The telecom giant wants Yahoo and its many users to help it build a digital ad business.
After the news of the first hack broke, Verizon said it would re-evaluate its Yahoo deal and in a Wednesday statement said it will review the "new development before reaching any final conclusions." Spokesman Bob Varettoni declined to answer further questions.
As 1010 WINS's Al Jones reported, Yahoo is in the process of notifying potentially affected users, requiring them to change their passwords.
(TM and © Copyright 2016 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2016 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)
