The internet giant said it “believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts.”
This is double the number of accounts affected in a 2014 cyber attack, which prompted Verizon Communication Inc (NYSE:VZ) to say it might back down from promises to buy Yahoo’s internet business for $4.83 billion (£3.8 billion).
Following today’s news, Verizon said “we will review the impact of this new development before reaching any final conclusions.”
Troy Hunt, cyber expert, has said: “This would be far and away the largest data breach we’ve ever seen. In fact, the 500 million they reported a few months ago would have been, and to see that number now double is unprecedented.
“Yahoo hasn’t attributed the attack to any state-sponsored activity as they did with the previous incident. They’ve referred to the tampering of cookies, though, which gives us some useful insight into where the vulnerability may have existed in their system.”
Yahoo’s chief information security officer said he believes that hackers forged “cookies” – code that stays in the user’s browser cache – allowing hackers to access the website without a password.
“Yahoo badly screwed up,” said Bruce Schneier, a cryptologist and respected security experts. “They weren’t taking security seriously and that’s now very clear. I would have trouble trusting Yahoo going forward.”
Yahoo was tentative in its description of new problems, saying the incident was “likely” distinct from the one it reported in September and that stolen information “may have included” email addresses, names, dates of birth, telephone numbers, hashed passwords and security questions and answers.
Yahoo shares were down 2.4 percent to $39.91 in extended trading. Verizon shares were little changed from their close at $51.63.