fb-pixel Skip to main content

SAN FRANCISCO — Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, reported Wednesday that a different attack compromised more than 1 billion accounts in 2013.

The two attacks are the largest known security breaches of one company’s computer network.

The 2013 attack involved sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords, and unencrypted security questions that could be used to reset a password.

Yahoo said it is forcing all of the affected users to change their passwords and invalidating unencrypted security questions — steps that it declined to take in September.


It is unclear how many Yahoo users were affected by both attacks. The Internet company has more than 1 billion active users, but it is not clear how many inactive accounts were hacked.

Yahoo said it discovered the larger hacking after analyzing data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information.

Yahoo has made a steady trickle of disclosures about the 2014 hacking, which it has been investigating with the help of federal authorities. The company said Wednesday that it now believes the attacker in that breach, which it says was sponsored by a government, found a way to forge credentials to log in to some users’ accounts without a password.

Bob Lord, Yahoo’s chief information security officer, said in a statement that the state-sponsored actor in the 2014 attack had stolen Yahoo’s proprietary source code.

Outside forensics experts working with Yahoo believe that the state-sponsored hackers used Yahoo’s code to access Yahoo user accounts without their passwords by creating forged “cookies,” short bits of text that a website can store on a user’s machine. By forging these cookies, attackers were able to impersonate valid users, gaining information and performing actions on behalf of their victims.


Security has taken a back seat at Yahoo in recent years, compared to Silicon Valley competitors like Google and Facebook. Yahoo’s security team clashed with top executives, including the chief executive, Marissa Mayer, over the cost and customer inconvenience of proposed security measures.

Security experts also say the time it has taken Yahoo to uncover the breach disclosed Wednesday is a signal that the company’s security and monitoring technologies are inadequate.

“What’s most troubling is that this occurred so long ago, in August 2013, and no one saw any indication of a breach occurring until law enforcement came forward,” said Jay Kaplan, the chief executive of Synack, a security company. “Yahoo has a long way to go to catch up to these threats.”

In July, Yahoo agreed to sell its core businesses to Verizon Communications for $4.8 billion. Verizon said in October that it might seek to renegotiate terms of the transaction because of the hacking, which had not been disclosed to Verizon during the original deal talks.

After the disclosure on Wednesday, a Verizon spokesman, Bob Varettoni, essentially repeated that position.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” he said. “We will review the impact of this new development before reaching any final conclusions.”

Lord said Yahoo had taken steps to harden its systems following the attacks. The company encouraged its users to change passwords associated with their Yahoo account and any other digital accounts tied to their Yahoo e-mail and account.


In the hacking disclosed Wednesday, Lord said Yahoo believed an “unauthorized third party” managed to steal data for 1 billion Yahoo user accounts. Lord said that Yahoo had not been able to identify how the hackers breached Yahoo’s systems, but the company believed the incident occurred in August 2013.

Changing Yahoo passwords will be just the start for many users. They will also have to comb through other services to make sure passwords used on those sites are not too similar to what they were using on Yahoo. And if they were not doing so already, they will have to treat everything they receive online, such as e-mails, with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

Yahoo recommended that customers use Yahoo Account Key, a tool that verifies identity using a mobile phone and eliminates the need to use a password on Yahoo altogether.

Security experts say the latest discovery of a breach that happened so long ago is another black mark for the company.

“It’s not just one sophisticated adversary that gets in,” said Ben Johnson, cofounder and chief security strategist at Carbon Black, a Waltham, Mass., security company. “Typically, companies get compromised multiple times due to the same vulnerability or employee culture.”

Johnson added that the scale of the breaches is only increasing as companies store more and more troves of information in similar databases.

“When you have these huge databases of information, it’s millions — and now billions — of accounts lost,” he said.