Support Centre

International: Yahoo confirms breach of 1 billion user accounts information

Yahoo! Inc. announced, on 14 December 2016, that it had discovered the unauthorised access by a third party to more than one billion Yahoo user accounts that took place in August 2013. Yahoo highlighted the incident is 'likely distinct' from a data breach disclosed by the company in September 2016.

According to Yahoo's press release, the affected account information 'may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.' Yahoo confirmed that users' passwords in clear text, payment card data, and bank account information were not affected.

The Deputy Information Commissioner at the UK Information Commissioners' Office ('ICO'), Simon Entwisle, said, "This latest report of another significant data loss at Yahoo gives us further cause for concern. [...] We are talking to Yahoo again today and we are in touch with the relevant international authorities to ensure the data protection interests of UK customers are considered. The scale of this attack is unprecedented and it is not yet known how many UK users are affected."

You can read Yahoo's press release here and the ICO's press release here.

UPDATE (16 December 2016): The New York Attorney General, Eric T. Schneiderman, issued, on 16 December 2016, a consumer alert in relation to the second Yahoo data breach ('the Alert'). In particular, the Alert examines the circumstances of the breach and Yahoo's disclosure of the breach to law enforcement.

You can read the Alert here.

UPDATE (15 February 2017): The Chairman of the Committee on Commerce, Science, and Transportation, John Thune, and the Chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Jerry Moran, sent, on 10 February 2017, a letter to Yahoo's Chief Executive Officer, Marissa Mayer, requesting information about the security breaches disclosed by Yahoo over the past few months ('the Letter'). The Letter states that Yahoo was unable to 'provide answers to many basic questions' about the incidents, which 'prompted concerns about Yahoo's willingness to deal with the U.S. Congress with complete candor about these recent events.'

The Letter requests Yahoo to provide information on the number of users affected by the breaches, type of data compromised, steps taken to identify and mitigate potential consumer harm, efforts to rectify the situation, as well as the timeline of the incidents. Yahoo was requested to respond to the questions by 23 February 2017.

You can read the Letter here.