After announcing a data breach affecting 500 million users in September, Yahoo has today announced a second breach this time affecting 1 billion accounts.
The breach announced today occurred in August 2013, an earlier hack than the previous hack which occurred in 2014. According to the blog post today, the hack in 2013 ‘may have included’ data such as ‘names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers’.
The breach wasn’t discovered by Yahoo themselves, in fact the company was informed of the breach by law enforcement, with Yahoo unable to determine how the data was stolen. In the blog post, Bob Lord, Yahoo’s Chief Information Security Officer (CSIO) said ‘We have not been able to identify the intrusion associated with this theft’.
The information included passwords hashed using MD5 encryption, though this method of salting passwords has been passed over in recent times as a non-secure method. Yahoo has advised that they will be contacting affected account holders.
If you’re using any of the number of Yahoo services available on the Web or on Google Play it’s time to check into your security. If you aren’t already we highly recommend you stop using that same old password on every site and start looking at using a password manager application such as LastPass, KeyPass or any one of the many available.
Why do they announce this 3 years after the damage was done?
Because they were only informed of the breach by law enforcement. If they’d found the breach themselves, they would’ve taken action sooner.