American technology giant Yahoo has said it believes hackers stole data from more than one billion accounts in August 2013 – in a breach separate from the one it previously disclosed affecting 500 million accounts.
The company said the information stolen may include names, email addresses, phone numbers, birthdates and security questions and answers, but added bank account information and payment-card data were not affected.
In a statement, Yahoo said: “Yahoo believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.
“As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data.
“Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts.”
The company added that its analysis has led it to believe the same state-sponsored hackers were involved in this newly-disclosed attack.
In the statement, Yahoo advised all users to review their online accounts for suspicious activity and to change their passwords.
“Yahoo encourages users to review all of their online accounts for suspicious activity and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account,” the statement added.
The new hack revelation could be a major blow to the struggling internet giant, which is in the process of selling its core operating assets to Verizon for $4.8bn (£3.8).
In a statement, Verizon said that it would evaluate the situation as Yahoo investigates and would review the “new development before reaching any final conclusions”.
In November, Yahoo disclosed that as part of its investigation, it had received data files from law enforcement “that a third party claimed was Yahoo user data”.
Using outside forensic experts, Yahoo confirmed that this was user data but added that it had “not been able to identify the intrusion associated with this theft”.
The stolen user account information in the most recent hack may have included names, email addresses, telephone numbers, dates of birth, “hashed” passwords and, in some cases, encrypted or unencrypted security questions and answers.
The hackers did not obtain passwords in clear text, payment card data or bank account information.
Additional reporting by PA
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies