Yahoo mega-breach exposes more than 1 billion accounts

Yahoo is closing 2016 with a bang — and not in a good way.

More than 1 billion Yahoo accounts may have been exposed after a third-party hacker hit the internet company in a separate attack from the one that was revealed in September.

"Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts," the company said in a statement. "The company has not been able to identify the intrusion associated with this theft. Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016."

See more on major data breaches:

Notable data breaches in the US
See Gallery
Notable data breaches in the US
Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell
LONDON, ENGLAND - AUGUST 19: A detail of the Ashley Madison website on August 19, 2015 in London, England. Hackers who stole customer information from the cheating site dumped 9.7 gigabytes of data to the dark web on Tuesday fulfilling a threat to release sensitive information including account details, log-ins and credit card details, if Avid Life Media, the owner of the website didn't take Ashley offline permanently. (Photo by Carl Court/Getty Images)
Katherine Archuleta, director of the U.S. Office of Personnel Management (OPM), speaks during a House Oversight and Government Reform Committee hearing on the OPM data breach in Washington, D.C., U.S., on Wednesday, June 24, 2015. U.S. senators said yesterday they doubt the government's personnel office understands the breadth of a computer hack that exposed the records of more than 4 million federal workers, or that the agency can stop another breach. Photographer: Andrew Harrer/Bloomberg via Getty Images
WASHINGTON, DC - JUNE 05: The entrance to the Theodore Roosevelt Federal Building that houses the Office of Personnel Management headquarters is shown June 5, 2015 in Washington, DC. U.S. investigators have said that at least four million current and former federal employees might have had their personal information stolen by Chinese hackers. (Photo by Mark Wilson/Getty Images)
SCHAUMBURG, IL - AUGUST 04: A statue of a horse stands at the entrance to a P.F. Chang's restaurant on August 4, 2014 in Schaumburg, Illinois. P.F. Chang's China Bistro Ltd. said today that the company experienced a data breach involving customers' credit and debit card information which affected 33 restaurants in 16 states, including the Schaumburg, Illinois location. (Photo by Scott Olson/Getty Images)
PORTLAND, ME - AUGUST 15: Shaws on Congress Street on Friday, July 15, 2014. Shaws parent company is investigating a possible data breach. (Photo by Logan Werlinger/Portland Press Herald via Getty Images)
COLMA, CA - APRIL 18: Customers enter a Michaels art and crafts store on April 18, 2014 in Colma, California. Michaels, the largest arts and crafts chain in the U.S., announced that an estimated 2.6 million cards used at its stores across the country may have been affected by a security breach. Aaron Brothers, a subsidiary of Michaels, was also affected by the breach. (Photo by Justin Sullivan/Getty Images)

CORAL GABLES, FL - FEBRUARY 28: A checkout keypad is seen at a Sears store on February 28, 2014 in Coral Gables, Florida.

According to reports the U.S. Secret Service is investigating a possible digital attack at Sears Holdings Corp. (Photo by Joe Raedle/Getty Images)

A couple of shoppers leave a Target store on a rainy afternoon in Alhambra, California on December19, 2013, as the US retail giant said some 40 million customers may have had bank card data compromised by hackers who broke into its database as holiday shopping got underway. Target said there had been 'unauthorized access' to its payment system in US stores affecting credit and debit cards with approximately 40 million credit and debit cards possibly affected by the breach between November 27 and December 15, the company said in a statement. AFP PHOTO / Frederic J. Brown (Photo credit should read FREDERIC J. BROWN/AFP/Getty Images)

That hack, which affected 500 million accounts, was among the biggest breaches of all time. At 1 billion this time, Yahoo may have earned a dubious new honor.

The data stolen from the newly revealed breach includes names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some instances, encrypted or unencrypted security questions and answers.

"The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected," the Yahoo statement said.

Related: Another Yahoo Hack Revealed. What Should You Do Now?

Authorities handed over data files from a third party that were purported to include Yahoo data, according to the company's chief information security officer, Bob Lord.

"As we previously disclosed in November, law enforcement provided us with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data," Lord wrote.

Through forensic analysis, Yahoo was then able to determine that a breach occurred in August 2013.

It's "very rare" to learn about two mega-breaches in such a short window of time, Jeremiah Grossman, chief of security at the cybersecurity company SentinelOne and a former Yahoo employee, told NBC News.

"It's really few and far between," he said. "Having multiple distinct breaches doesn't sound good."

What if you have an account?

Yahoo will notify potentially affected users and require them to change their passwords.

Because security questions and answers were stolen, Yahoo has nullified any unencrypted questions and answers, Lord wrote.

See more on Yahoo:

Marissa Mayer, former Yahoo CEO
See Gallery
Marissa Mayer, former Yahoo CEO
Marissa Mayer, president and chief executive officer of Yahoo! Inc., speaks during the 2015 Fortune Global Forum in San Francisco, California, U.S., on Tuesday, Nov. 3, 2015. The forum gathers Global 500 CEO's and innovators, builders, and technologists from some of the most dynamic, emerging companies all over the world to facilitate relationship building at the highest levels. Photographer: David Paul Morris/Bloomberg via Getty Images
Marissa Mayer, president and chief executive officer at Yahoo! Inc., smiles during the 2015 Bloomberg Technology Conference in San Francisco, California, U.S., on Tuesday, June 16, 2015. Mayer said that the company's spinoff of its stake in Alibaba Group Holding Ltd. is proceeding as planned. Photographer: David Paul Morris/Bloomberg via Getty Images
NEW YORK, NY - MAY 04: Marissa Mayer, President and CEO of Yahoo attends 'China: Through The Looking Glass' Costume Institute Benefit Gala - Press Preview at Metropolitan Museum of Art on May 4, 2015 in New York City. (Photo by Bennett Raglin/WireImage)
NEW YORK, NY - APRIL 27: Yahoo CEO Marissa Mayer attends the 2015 Yahoo Digital Content NewFronts at Avery Fisher Hall on April 27, 2015 in New York City. (Photo by Cindy Ord/Getty Images for Yahoo)
Marissa Mayer, president and chief executive officer at Yahoo! Inc., smiles during a press conference at the Yahoo! Inc. Mobile Developer Conference in San Francisco, California, U.S., on Thursday, Feb. 19, 2015. Mayer unveiled a suite of development tools for mobile applications that integrate its own advertising services with features it acquired with analytics startup Flurry Inc. Photographer: David Paul Morris/Bloomberg via Getty Images
Marissa Mayer, chief executive officer of Yahoo! Inc., listens during a panel session on day four of the World Economic Forum (WEF) in Davos, Switzerland, on Saturday, Jan. 25, 2014. World leaders, influential executives, bankers and policy makers attend the 44th annual meeting of the World Economic Forum in Davos, the five day event runs from Jan. 22-25. Photographer: Jason Alden/Bloomberg via Getty Images
Yahoo CEO Marissa Mayer speaks during her keynote address at the 2014 International CES in Las Vegas, Nevada, January 7, 2014. AFP PHOTO / ROBYN BECK (Photo credit should read ROBYN BECK/AFP/Getty Images)
Marissa Mayer, president and chief executive officer of Yahoo! Inc., reacts during the DreamForce Conference in San Francisco, California, U.S., on Tuesday, Nov. 19, 2013. Yahoo boosted its stock-buyback plan by $5 billion, returning more cash to shareholders as Mayer seeks to revive growth at the largest U.S. Internet portal. Photographer: David Paul Morris/Bloomberg via Getty Images
Marissa Mayer, chief executive officer of Yahoo! Inc., smiles at the TechCrunch Disrupt SF 2013 conference in San Francisco, California, U.S., on Wednesday, Sept. 11, 2013. Yahoo! Mayer said the Web portal has surpassed 800 million active monthly users, a 20 percent increase since she joined the company in July 2012. Photographer: David Paul Morris/Bloomberg via Getty Images

The latest disclosure comes after a tumultuous year for Yahoo.

It was announced in July that Verizon had reached an agreement to buy Yahoo for $4.83 billion. The deal is still in process, and it remains unclear how the latest revelation could affect the sale.

In a November SEC filing, Yahoo warned Verizon could still pull out of the deal.

"There is no assurance" the merger will be "consummated in a timely manner or at all," the filing said.

Related: Yahoo Warns Verizon Could Pull Out of $4.8 Billion Deal

It's also possible Verizon could renegotiate, buying Yahoo for a lesser price.

"Breaches or security concerns have never materially impacted an acquisition but this one could be different," Grossman said.

In addition to possibly scuppering one of the year's biggest deals, Yahoo's September mega-breach has led to a plethora of federal, legal, state and local investigations, along with dozens of class-action lawsuits from consumers. There's no telling what could come after this latest disclosure.

Read Full Story