Casting another dark cloud on its proposed sale to Verizon, Yahoo Inc. confirmed Wednesday that it believes an unauthorized third party, in August 2013, stole data associated with more than 1 billion user accounts.
The latest admission follows an earlier one in which Yahoo said data from more than 500 million accounts, including customer e-mail addresses, birth dates, phone number and encrypted passwords, were stolen.
Yahoo noted that the latest data breach was discovered after it law enforcement provided the company with data files that a third party claimed was Yahoo user data.
“Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016,” the company said.
The latest data breach admission plants another seed of doubt around Verizon’s $4.8 billion deal to acquire Yahoo for $4.8 billion. Speculation following the earlier hacking revelation was that Verizon might try to cut the purchase price by as much as $1 billion. Verizon has held that the data breach could be a material event
Verizon said its position on the pending deal remains unchanged following this week’s revelation.
"As we've said all along, we will evaluate the situation as Yahoo continues its investigation. We Will review the impact of this new development before reaching any final conclusions,” Verizon said in a statement.
UPDATE:Bloomberg reported Thursday morning that Verizon is exploring a price cut or a possible exit from the proposed deal.
Regarding the latest breach discovery, Yahoo said stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, possibly, encrypted or unencrypted security questions and answers. Yahoo noted that the investigation showed that the purloined data did not include passwords in clear text, payment card data, or bank account information.
“Payment card data and bank account information are not stored in the system the company believes was affected,” Yahoo said.
Based on its ongoing investigation in the hacking matter, Yahoo said it believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies.
Yahoo said it is encouraging its users to review their online accounts for suspicious activity and to change their passwords and security questions. Further, it’s recommending the use of a Yahoo Account Key, an authentication tool that, it says, eliminates the need to use a password on Yahoo altogether.