In November, Yahoo determined through law enforcement officials that an unauthorized third party stole data files which contained Yahoo user data. In an official Yahoo statement, the details are given:
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”
The compromised user data may have contained “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” It has also been determined that “clear text, payment card data, or bank account information” was not part of the data breach.
How did this happen? The intruder(s) learned to forge
“cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we [Yahoo] believe an unauthorized third party accessed our proprietary code to learn how to forge cookies.”
For individuals that have been affected by this data breach, Yahoo offers this advice,
“we are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords.”
As for the cookie forgery issue, Yahoo remarks, “we invalidated the forged cookies and hardened our systems to secure them against similar attacks.” For a complete analysis of the data breach and additional security tips visit Yahoo Security Notice December 14, 2016