Hackers may have accessed personal data from more than one billion Yahoo accounts during a 2013 cyber-attack, the internet giant has admitted – making it one of the largest data thefts ever.
Yahoo believes the attack is separate from one in late 2014 which was announced in September this year, in which 500 million users' details were taken.
It blamed the 2014 hack on a "state-sponsored actor", and believes that same actor carried out the 2013 attack announced today.
This morning Yahoo users around the world are waking up to an email from the firm which warns of another breach: "We believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft."
Yahoo says stolen user information may have included names, email addresses, telephone numbers, dates of birth, 'hashed' passwords (ie, passwords concealed by an algorithm) and, in some cases, encrypted or unencrypted security questions and answers. Clear-text passwords (ie, those that aren't concealed) aren't believed to have been accessed.
Yahoo provides email services, a search engine and news, sport, finance and lifestyle content for billions of users worldwide.
The firm, which is currently being taken over by US telecoms company Verizon, says it's continuing to work with law enforcement authorities regarding the breach.
How do I know if I've been hacked?
As explained above, Yahoo is contacting users who may have been affected by email. However, because of the scale of the hack, it's probably safest to assume that if you had a Yahoo account in 2013 it may have been compromised, and to take action to protect yourself accordingly.
If you want to be sure the email you've received is definitely from Yahoo, it's published the email contents on its website.
The HaveIBeenPwned? website allows you to check if an email address has been compromised in a number of large-scale hacks, including major breaches at LinkedIn and MySpace, and more recently Dropbox. But it's not yet clear whether HaveIBeenPwned? contains details of those affected by Yahoo's 2013 hack.
What should I do to protect myself?
Yahoo says anyone who is affected, or believes they could be, should immediately change their password and security questions and answers.
Crucially, you should do this not just for your Yahoo account but for any other accounts you have which may have used the same or similar info – a big risk with this kind of data breach is that hackers could use personal data from the hacked account to access your other accounts.
Yahoo has published a list of security tips in which it urges users to:
- Review their accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for personal information or refer them to a webpage asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Yahoo says it's invalidated unencrypted security questions and answers so they won't be able to be used to access your account.
Yahoo has also suggested using Yahoo Account Key to avoid having a password altogether. It works by linking your Yahoo account with your mobile phone so when you sign in you'll only need to enter your username and Yahoo will send a notification to your phone and you can approve the login from there.
It says its investigation indicates that no one's bank or card details have been compromised in the hack. However, if you want to be absolutely certain you should take a good look at your account statements and check your credit file to make sure there's been no fraudulent activity on any of your accounts.
Additional reporting by the Press Association.