In what will go down as one of the largest data breaches in history, Yahoo disclosed today sensitive account information from more than 1 billion users accounts has been compromised. That's a billion, with a 'b'.
Yahoo describes the details of the breach dating back to August of 2013. The stolen data may include names, email addresses, phone numbers, dates of birth, hashed passwords, and possibly unencrypted security questions. Financial information like bank account and credit card data was stored elsewhere, and Yahoo believes that system was not affected.
In response, Yahoo announced it will notify all potentially affected users and require them to change their passwords. As for the unencrypted security questions, Yahoo has invalidated them as well. The 3-year delay in reporting the incident is troublesome nonetheless as hackers have already likely used or sold the information. Yahoo was recently in the spotlight after it disclosed in September that at least 500 million accounts had been compromised in a 2014 breach. Forensic experts do not believe that the two massive hacks are related, but Yahoo employees reportedly knew about the 2014 intrusion well before it was announced.
Also revealed in the press release is information that a third party has accessed Yahoo's proprietary code. This separate incident allowed an intruder to create forged cookies to access user accounts without the need for a password. Yahoo recommends users avoid clicking links or downloading attachments from suspicious emails that appear to be from Yahoo.
While nothing can be made totally secure, a hack of over 1 billion accounts is unprecedented. Earlier this year Verizon agreed to purchase Yahoo for $4.8 billion but there is speculation that Verizon may ask for a sizable discount.