We seriously have no idea what's going on at Yahoo but it seems like the people in charge have long left the deck. A couple of months ago news emerged that 200 million Yahoo user accounts got hacked in late 2014 but that number quickly ballooned to "over 500 million" accounts. The search company attributed the hack to a state-sponsored actor and confessed lots of private details were breached.
Can it get any worse than that? Absolutely because Yahoo just announced it discovered it was the victim of an even bigger data breach in August 2013. More than 1 billion user accounts were affected by this breach, making it the single largest hack in history.
Stolen data may have included names, e-mail addresses, phone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers. Yahoo says payment-card data and bank account information was not impacted because it was stored in a different system.
As Reuters reports, Yahoo has no idea who was behind this attack or how they got in. This implies the attackers may still have access to Yahoo's systems.
Yahoo was tentative in its description of new problems, saying the incident was "likely" distinct from the one it reported in September and that stolen information "may have included" names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
It said it had not yet identified the intrusion that led to the massive data theft and noted that payment-card data and bank account information were not stored in the system the company believes was affected.
The company also admitted it discovered a vulnerability that allowed hackers to forge cookies to gain access to user accounts without needing to know the password:
Yahoo also said Wednesday that it believes hackers responsible for the previous breach had also accessed the company’s proprietary code to learn how to forge "cookies" that would allow hackers to access an account without a password.
Yahoo send an e-mail to its users and forced a password reset. It's better than nothing but it's still weird such a huge breach goes undetected for three years. Either way, given these two separate incidents I don't think I would ever entrust any data to Yahoo again.