Yahoo has suffered another hack.
The company disclosed today that it has discovered a breach of more than one billion user accounts that occurred in August 2013. The breach is separate and distinct from the theft of data from 500 million accounts that Yahoo reported this September.
Troublingly, Yahoo’s chief information security officer Bob Lord says that the company hasn’t been able to determine how the data from the one billion accounts was stolen. “We have not been able to identify the intrusion associated with this theft,” Lord wrote in a post announcing the hack.
“The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,” Lord added.
Yahoo was alerted to the massive breach by law enforcement and has examined the data with the help of outside forensic experts. The data does not appear to include payment details or plaintext passwords, but it’s still bad news for Yahoo account holders. The hashing algorithm MD5 is no longer considered secure and MD5 hashes can easily be looked up online to discover the passwords they hide.
Yahoo says it is notifying the account holders affected in the breach.
Verizon agreed to buy Yahoo in July for $4.83 billion, and Yahoo’s repeated security incidents have led to speculation that Verizon might ask for a discount on the company. “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” a Verizon spokesperson said. “We will review the impact of this new development before reaching any final conclusions.”