Yahoo’s terrible, horrible, no good, very bad year just got even worse.
Just two months after Verizon announced plans to acquire the company, Yahoo announced in September that state-sponsored hackers had stolen the data of some 500 million users. The discovery was made years after the attack, the result of an internal inquiry spurred by reports of user info for sale on the black market.
Today, Yahoo revealed the situation is somehow grimmer than previously believed. According to the company, user data recovered by authorities appears to be from a different hack entirely, one affecting over one billion—with a “b”—users.
“As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data,” said Bob Lord, the company’s CISO, in a press release on Tumblr. “Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.”
Last month, Yahoo revealed that some employees were aware of the breach announced in September as early as 2014, but the investigation was apparently dropped. Given the company’s less than tenacious pursuit of potential intrusions, it’s easy to see how the info of one billion users could also walk out the door unnoticed.
Yahoo has advised “potentially affected users” to change their passwords, but has yet to explain why users should trust the company with their information at all at this point. And they aren’t the only party whose faith in Yahoo might be shaken: As the company noted in an SEC filing last month, Verizon may change the terms of the planned merger or kill it outright “as a result of facts relating to the Security Incident.”
That is, the “Security Incident” before this one.