Yahoo says hackers stole names, email addresses, phone numbers, dates of birth and encrypted or unencrypted security questions and answers from more than a billion accounts.
In a statement posted to its website on Wednesday, the company said it had “taken steps to secure user accounts and is working closely with law enforcement.”
The statement continued:
“As Yahoo previously disclosed in November, law enforcement provided the company with data files that a third party claimed was Yahoo user data. The company analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts.
“The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.”
This is the second major breach of private user information Yahoo has announced in the last three months. In September, the company said information associated with at least 500 million user accounts had been stolen in 2014, as we reported.
That security breach allowed hackers to steal the same types of information the company thinks were stolen in this instance.
The company said that it believes the two incidents were distinct.
As it did in September, Yahoo created an FAQ page to answer questions from account holders.
In both cases, Yahoo said its outside forensics experts had connected at least some elements of the hacking to a “state-sponsored actor,” but did not say which foreign government it believed had supported the hack.