Yahoo’s security protection was even worse than you might have thought from its disclosure in September that 500 million accounts had been hacked in 2014. Its shares are down about 2.3% in post-market trading today following a new disclosure that an “unauthorized third party” stole information from more than 1 billion accounts in 2013.
The company doesn’t know who hacked the user data but says it’s “likely distinct from the incident” it reported in September.
The stolen information “may have included users’ names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” the company says.
But hackers didn’t get passwords in clear text. They also didn’t find payment card data or bank account information, which are stored in a different system that wasn’t hit.
Yahoo says that it’s telling people who might have been hit to change their passwords and has invalidated unencrypted security questions and answers.
On top of that, Yahoo says that the “state-sponsored actor” it believes is responsible for the 2014 hack may have accessed its “proprietary code to learn how to forge cookies” to access accounts without a password. It has invalidated the forged cookies and is telling users who might have been affected.
The latest news might further embolden Verizon to seek a cut in the $4.8 billion it agreed to pay for Yahoo’s assets. CFO Fran Shammo told analysts in October that the hack of the 500 million users “will have a material impact on Yahoo.” The telco is believed to have wanted to cut $1 billion from the purchase price after the earlier news.