Updated at 6:30 p.m.
A hacker stole information from more than one billion Yahoo email accounts in August 2013, the company announced Wednesday.
The data included names, email addresses, telephone numbers, dates of birth, and password hashes, which are strings of characters that help a website check whether or not an entered password is correct. Some people may have also had answers to their security questions stolen, which, if published, could make it easier for hackers to gain access to other accounts that use the same security answers.
Earlier this year, Yahoo announced that information from 500 million user accounts was stolen. At the time, that looked like one of the largest single data breaches in existence—but it’s now been eclipsed in scale by the latest hack. The company says the data breach it announced Wednesday is separate from the one it notified users about in September.
Yahoo says it discovered the billion-account breach with the help of law enforcement, which shared with the company a trove of stolen user data that it had uncovered. The “same state-sponsored actor” behind the 500 million-account breach was likely involved in this cyberattack, too, according to Yahoo.
The attacker was able to “forge” cookies—small packages of data that track users and tell browsers which accounts a user is signed into, among other things—by accessing and dissecting Yahoo’s “proprietary code,” the company said. Yahoo invalidated the fake cookies, and is notifying the users whose accounts were breached.
The breach was the second large-scale theft of data from Yahoo since Verizon announced its intention to buy the internet company this summer.
A Yahoo spokesperson said Wednesday that there are more than a billion Yahoo users. Since users can make more than one account, it’s not clear how exactly many individual users were affected. The spokesperson would not share the number of Yahoo user accounts that exist.
We want to hear what you think about this article. Submit a letter to the editor or write to firstname.lastname@example.org.