Yahoo revealed late this week one billion accounts had been hacked, hot on the heels of the company announcing a data breach of 500 million users in September.
While Yahoo was analysing the data from the September breach with cybersecurity forensic specialists, it thought it had uncovered a separate breach.
Symantec, the maker of Norton Security, said it appeared a "third party" stole information in August 2013 related to more than one billion user accounts.
Mark Shaw, technology strategist, Symantec Pacific region, said Yahoo stated it was not related to the data stolen in the previous breach in 2014.
"Yahoo believes the information stolen consists of full names, email addresses, dates of birth, phone numbers, hashed passwords and possibly security questions and answers. Luckily, Yahoo does not store credit card or any other payment information in the system that was affected," he said.
Spark is investigating if its Xtra users were affected by the hack. Spark is in the process of migrating Xtra Mail services back to New Zealand, through SMX, after issues with security, phishing and spam arose with Yahoo.
SMX is a New Zealand-owned cloud email security and cloud messaging platform provider. Germany’s cybersecurity authority, the Federal Office for Information Security Security (BSI), is advising German consumers to consider switching to alternatives for email. Noting Yahoo was using the MD5 hash function to encrypt passwords, the BSI said it was no longer considered state of the art and should be regarded as unsafe.
Verizon was now seeking to persuade Yahoo to amend the terms of the $US4.8billion ($NZ6.82billion) acquisition agreement made in July to reflect the economic impact of the data breaches, Reuters reported.
Verizon still expected to go through with the deal but was looking for major concessions in light of the most recent breach. Verizon said in October it was reviewing the deal after September’s breach disclosure. It said yesterday it would review the impact of the new development before reaching any final conclusions.
Senior US Democratic senator Mark Warner, of Virginia, said in a statement he intended to investigate Yahoo’s cybersecurity practices.
"This most recent revelation warrants a separate follow-up and I plan to press the company on why its cyber defences have been so weak as to have compromised over a billion users."
Mr Warner, who will become the top Democrat on the Senate Intelligence Committee next year, described the hacks as deeply troubling. He had repeatedly asked Yahoo for briefings about the 2014 hack but had not received a response, he said. Mr Warner asked the US Securities and Exchange Commission to investigate whether Yahoo had fulfilled obligations to inform investors and the public about the 2014 breach.
"If a breach occurs, consumers should not be first learning of it three years later."
At a glance
• Use a random combination of at least 10 symbols, letters and numbers.
• Don’t use the same password for multiple websites — ever.
• Don’t use words in your passwords.
• Programs can crack those passwords in a heartbeat.
• Don’t use any personal information in your password, not even your birthday.