Yahoo has announced a second, larger security breach that affected 1 billion user accounts – the biggest known data breach to date at any company.
Yahoo said the breach occurred in August 2013, with an unauthorised third party stealing data from 1 billion users, including included names, email addresses, telephone numbers, dates of birth and hashed passwords. The company said it also, in some cases, included encrypted or unencrypted security questions and answers.
Yahoo said it did not appear that hackers gained access to passwords in clear text, payment card data or bank account information.
Yahoo said it has not yet identified how the attackers penetrated its systems, though it said it now working with law enforcement.
Yahoo said it discovered this second breach after further forensic expert analysis into the earlier breach it announced in September, which affected 500 million user accounts. It said this second and larger breach is likely distinct from the one announced earlier this year, which it attributed to nation-state attackers.
That breach also affected names, email addresses, telephone numbers, birthdays, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.
Yahoo said it is in the process of notifying users affected by the breach and will prompt them to change their passwords and security questions.
It urged all users to check their accounts for suspicious activity, change their passwords and adopt the company's authentication tool.