Three months after Yahoo confirmed a 2014 data breach that affected over 500 million accounts, the company has revealed a new data theft of twice the size that took place in 2013.
The company stated that an “unauthorized third party” stole data associated with more than one billion user accounts in August 2013. The breach was discovered when Yahoo data was presented to the company by law enforcement in November. The company says it has not identified the details of the breach, but believes the event is distinct from the September breach. It has connected some of the activity from this most recent December breach to the state-sponsored actor that they believe was responsible for the September data theft.
In both cases it may have revealed names, emails, dates of birth, telephone numbers, hashed passwords and in some cases encrypted and unencrypted security questions, according to Yahoo’s reports.
This could jeopardize the tech company’s agreement with Verizon to acquire its core business. Verizon has said that it will review the impact of the breach, and an anonymous source familiar with the matter cited by WSJ noted that the company still has “all options on the table, including renegotiating the deal’s price or walking away.”
Yahoo has urged users to take safety precautions such as reviewing their online accounts and changing passwords and security questions for accounts on which they use similar information to their Yahoo account.
Update 12/15/16: According to an anonymous source cited by Bloomberg, Verizon is exploring slashing the price or reneging on its $4.83 billion Yahoo acquisition deal altogether. One of the main reasons is the concern that future lawsuits concerning the breaches would affect not only Yahoo but Verizon as well. Yahoo shares fell by as much as 6.5 percent on December 15th, the day following the announcement of the breach.