Skip to main content

In case you weren't concerned enough, Yahoo! reveals another 1 billion accounts compromised

Not again. 1 billion user accounts have been compromised in yet another security breach at the company. This is on top of the hundreds of millions already affected by previous hacks. What makes this more terrifying is that the breach for this 1 billion account figure was actually back in August 2013.

As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.

This is simply unacceptable. The official announcement states that those affected will be contacted and steps have already been taken to secure accounts. That said, the hack has already occurred, systems breached and data leaked. This data may have included names, email, phone numbers, birth dates, hashed passwords and even unencrypted security questions and answers. When you look at how the breach was possible, this story becomes even worse.

Separately, we previously disclosed that our outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used.

We have to ask: do you really need your Yahoo! account? If not, we strongly recommend you delete it.

Rich Edmonds
Rich Edmonds

Rich Edmonds is Senior Editor of PC hardware at Windows Central, covering everything related to PC components and NAS. He's been involved in technology for more than a decade and knows a thing or two about the magic inside a PC chassis. You can follow him over on Twitter at @RichEdmonds.

25 Comments
  • They're on a roll...
  • I use Outlook.
  • Not used my yahoo account for about 12 years so don't think i need to be too concerned, but it's still shocking how they can let it happen!!
  • Delete your account. It's easy. https://edit.yahoo.com/config/delete_user
  • I've taken my first step and deleted my account.
  • I did get hacked by someone located in China Change my password immediately and one more time since then. Haven't got anymore, someone tried to access your account messages since
  • Make sure, if you got an email asking you to change your password, that it wasn't a fake email. Sometimes hackers will send an email that looks super real with a link to reset your password, which will reset your password, but also give them your new one. Usually can tell by checking the email address that the email is sent from. Obviously, logging in to the website itself and changing your password that way should be safe.
    Usually this kind of stuff happens with bank accounts, or email accounts for politicians.
  • Yep , i ​deactivated my account when the fist security breach was made known . I hope it's deleted now
  • What about hundreds of existing
    importent mails
  • You can back up email by linking your account with desktop outlook and downloading them then saving the outlook database file with the mails.
  • I'm using yahoo as my secondary email. I changed my password and turned on step two verification...
  • Uh, it's Yahoo Answers, so basically anyone that uses Yahoo Answers, not their email system.
  • So disappointed. Seriously?! I need my accounts, they are linked to things.  
  • With that being said, I have a lot of yahoo email accounts, so it's time to delete some of them.
  • I need it for my Flickr account
  • Yahoo? Ya-noo!
  • I do, for Flickr. Haven't found a worthy replacement.
  • 500px is good. I moved to 500px from Flickr about 2 years back.
  • More shocking is the fact that they actually had one billion users. I'll never forget the day I set up an email address - literally within 30 minutes I was bombarded with spam, porn and other dodgy links and I'd not even ever used the address for anything
  • Building my own Mail server on my TS-470 Pro.
  • Glad I never used anything related to Yahoo! :)
  • Just finished setting up a new yahoo account as it offers 1TB of space 😊
  • I still have my yahoo account and I don't think hackers can find anything useful in my yahoo mail, so I don't care. I won't change my password either.
  • I still have my Yahoo Mail account and I've had it since I was in high school. It's not easy to delete an account as old as that because you would've used that email as a contact email for so many different things that you'd be bound to forget something if you went to change your contact email on everything you signed up for. I also use Yahoo's Account Key (which, incidentally, is something Yahoo themselves recommend).
  • Never had a Yahoo email account, guess that was a good call