US tech company Yahoo has revealed one billion user accounts were hacked in August 2013. The cyber attack is believed to be separate from a previous hack disclosed in September 2016.
Yahoo said that it was notified of the hack by law enforcement agencies in November but investigations have not been able to identify how the hackers carried out the theft, which it believes was carried out by a state-sponsored actor.
The hackers are believed to have access information that may include names, email addresses, telephone numbers and dates of birth along with, “hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”
Yahoo chief information security officer Bob Lord said: “We believe an unauthorised third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”
Yahoo’s investigation indicates that stolen information did not include passwords in clear text, payment card data or bank account information.