It’s nearly twice as large as a separate hack disclosed in September.
More than one billion Yahoo accounts have been hacked, the company announced on Wednesday, three months after it disclosed a separate data breach that affected more than 500 million accounts.
The hack disclosed today occurred in August 2013, and compromised names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers, according to Bob Lord, Yahoo’s chief information security officer.
“We have not been able to identify the intrusion associated with this theft,” he said in a statement. “We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
Yahoo’s investigators do not believe that any credit card data or bank account information was stolen, since it is handled by a separate system from the one that was hacked. Yahoo also said that the stolen passwords and some of the security questions and answers were hashed, meaning that the thieves would not be able to read them without additional information from a separate database.
Yahoo has invalidated the unencrypted security questions that were stolen, and is notifying users whose accounts may have been hacked, the company said.
In addition to the 2013 hack, Yahoo also said Wednesday it is investigating reports of forged cookies that may be connected to the hack announced in September. Forged cookies can allow account access without entering a password, and Yahoo said it will notify users whose accounts may have been affected.
Yahoo blamed the breach announced in September on a “state-sponsored actor,” but refused to elaborate. Lord said that some of the forged cookie activity was connected to the same state-sponsored actor.