Skip to main content

Another billion Yahoo! (YHOO) accounts have been hacked, the company announced Dec. 14 after the market closed. The new breach, believed to have occurred in 2013, is on top of the 500 million hacked accounts from 2014 that were previously disclosed, and Yahoo! said it believes the two attacks were not related.

Editor's pick: This story was originally published on Dec. 14, 2016, and updated on Dec. 17, 2016.

The news comes as Yahoo! works to close its $4.8 billion sale to Verizon (VZ) - Get Verizon Communications Inc. Report . When the companies announced the sale in July, Yahoo! put its total monthly average users at more than 1 billion, with 600 million mobile accounts.

Yahoo! shares fell in after-hours trading on Wednesday and were down 3.6% to $39.44 in premarket trading Thursday.

"Based on further analysis of this data by the forensic experts, Yahoo! believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts," Yahoo! said in a statement. "The company has not been able to identify the intrusion associated with this theft. Yahoo! believes this incident is likely distinct from the incident the company disclosed on September 22, 2016."

EDITOR'S NOTE: This article was originally published by The Deal, a sister publication of TheStreet that offers sophisticated insight and analysis on all types of deals, from inception to integration. Click here for a free trial.

Scroll to Continue

TheStreet Recommends

The data thieves may have gotten away with names, email addresses, telephone numbers, dates of birth, obscured passwords and security questions and answers. The investigation indicates that information from bank accounts, payment cards and passwords in clear text were not part of the breach, Yahoo said.

The magnitude and other newly disclosed aspects of the 2013 breach have deeper implications than the 2014 hack, Wells Fargo analyst Peter Stabler wrote in a recent report.

"While YHOO has noted that the vast majority of passwords stolen in the 2014 breach were encrypted with the bcrypt algorithm, the passwords stolen in the August 2013 breach were encrypted with MD5 (message digest 5), which we believe represents a significantly weaker encryption algorithm which is much more vulnerable to brute-force attack," Stabler wrote. "As such, while users affected by the 2014 breach were asked to change their passwords, users affected by the August 2013 breach will be required to change their passwords."

For its part, Verizon said it would continue to watch Yahoo's review of the hacks. "As we've said all along, we will evaluate the situation as Yahoo continues its investigation," the telecom said. "We will review the impact of this new development before reaching any final conclusions." Verizon was previously reported to be trying to get a billion dollars knocked off its purchase price because of the previously disclosed intrusions.

Even if Verizon closes the purchase, Wells Fargo's Stabler wrote, Yahoo! shareholders could feel the pain that hacked Yahoo! subscribers have felt. "While we expect that Verizon's planned acquisition of Yahoo's core assets will ultimately proceed, today's disclosures cast additional uncertainty over the timing of deal close and potential renegotiation of the purchase price, in our view."

Before the latest hacks, Verizon CEO Lowell McAdam said at a Dec. 6 New York investor conference that the telecom still hopes to close the purchase of Yahoo! 

"They've been doing all their work on the breach," McAdam said. "This is one of those things that we need to give them lots of time to do a full analysis before we move forward with that, and that's the process we're in at this point."