Yahoo has even more security problems than you thought. The company has discovered a new breach dating back to August 2013, which exposed names, emails, and hashed passwords for more than a billion users. The discovery was announced in a post today by CISO Bob Lord, who attributed it to “an unauthorized third party.” Payment information was not involved, and the breach is believed to be entirely distinct from the Yahoo breach announced in September.
The passwords involved were hashed using the MD5 algorithm, which was already easily crackable in 2013. As a result, it’s likely that any dedicated criminals were able to work back to the underlying passwords.
At the same time, Yahoo has also detected significant new incursions against the service’s cookie system, which is used to identify logged-in users. According to Lord’s report, a separate group of attackers gained access to Yahoo’s proprietary source code, and used that code to forge cookies that would falsely identify them as logged in. The result was an end run around the security system overall. That effort is believed to be linked to the September breach, which was attributed to a state-sponsored group.
The overall result is a major embarrassment for Yahoo, coming at a sensitive time for the company’s pending $4.8 billion deal with Verizon. Verizon expressed hesitation after the September breach announcement, and today’s news is likely to deepen those concerns even further.
“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation,” Verizon said in a statement. “We will review the impact of this new development before reaching any final conclusions.”