Yahoo now believes an “unauthorized third party” stole user data from more than one billion accounts in August 2013. That data may have included names, email addresses and passwords, but not financial information.
The company said it will notify users who may be affected and has begun requiring users to change their passwords.
The security incident, is likely one of the largest cybersecurity breaches ever, comes less than three months after Yahoo admitted data from at least 500 million accounts had been stolen.
According to company, the earlier breach, which Yahoo has attributed to a “state-sponsored actor,” is likely unrelated to the newly disclosed breach.
“We believe this incident is likely distinct from the incident we disclosed on September 22, 2016,” Bob Lord, Yahoo’s chief information security officer, wrote in a blog post.
The second cybersecurity breach raises more concerns about whether Yahoo took enough precautions. As one former employee told CNN after the first breach was disclosed, “Security was pushed to the back end” behind “other priorities.”
The original breach was initially viewed as a threat to Verizon’s (VZ, Teech30) $4.8 billion deal to buy Yahoo, given the potential impact on Yahoo’s brand and user retention. Verizon learned about the breach after agreeing to the acquisition and later said it could have a meaningful financial impact on the deal.
AOL CEO Tim Armstrong said earlier this month he was “cautiously optimistic” the deal would go through — but the second massive breach could change that.
“As we’ve said all along, we will continue to evaluate the situation as Yahoo continues its investigation,” Verizon said in a statement Wednesday. “We will review the impact of this new development before reaching any final conclusions.”
Yahoo’s stock fell 2.5% in after hours trading Wednesday following the disclosure.
Posted by Juliet Ekwebelam (CNN)