As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Stolen information did not include passwords in clear text, payment card data, or bank account information.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.
The company is also investigating a separate hack that involves the creation of forged cookies that could allow an intruder to access users' accounts without a password. Yahoo is also notifying users affected by the hack and says it has linked the activity to the same state sponsored actor believed to be responsible for the last major hack disclosed.
Additional information is available on the Yahoo Account Security Issues FAQs page: https://yahoo.com/security-update.