Yahoo! -- One Billion Accounts Compromised

Yahoo! confirmed that hackers stole data and compromised more than one billion user accounts in August 2013. The exploit was first disclosed by Yahoo! in November and is most likely different from incident disclosed on September 22, 2016.

Separately, Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.

https://yahoo.com/security-update

Yahoo Cites State Actor for Massive Security Breach

Thursday, September 22, 2016  Cyber Security, Yahoo  No Comments

Yahoo believes a state-sponsored actor breached its network in late 2014 and may have stole names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers from at least 500 million accounts.

Yahoo said its ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information.

http://www.yahoo.com