SAN FRANCISCO • Yahoo, already reeling from its September disclosure that 500 million user accounts had been hacked in 2014, has revealed that a different attack in 2013 compromised more than one billion accounts.
The two attacks are the largest known security breaches of one company's computer network.
In a huge blow to the struggling Internet pioneer, Yahoo said in a statement on Wednesday that it "believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts".
It said this case "is likely distinct from the incident the company disclosed on Sept 22, 2016", affecting 500 million users.
The news poses a fresh threat to Yahoo's deal to sell its core operating assets to Verizon for US$4.8 billion (S$6.9 billion).
The 2013 attack involved sensitive user data, including names, phone numbers, dates of birth, encrypted passwords and unencrypted security questions that could be used to reset a password. Yahoo said it is forcing all affected users to change their passwords and it is invalidating unencrypted security questions - steps that it declined to take in September.
It is unclear how many users were affected by both attacks. Yahoo has over one billion active users, but it is not clear how many inactive accounts were hacked.
Security has taken a back seat at Yahoo in recent years, compared with Silicon Valley rivals like Google and Facebook. Yahoo's security team has clashed with top executives, such as chief executive Marissa Mayer, over the cost and inconvenience of proposed measures.
And critics say it was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in 2012 and a series of spam attacks the year after.
"What is most troubling is that this occurred so long ago, in August 2013, and no one saw any indication of a breach occurring until law enforcement came forward," said Mr Jay Kaplan, chief executive of Synack, a security company. "Yahoo has a long way to go to catch up to these threats."
In Singapore, cyber security experts said the first and most important thing affected users should do is to change their Yahoo account passwords. And if they used the affected e-mail address for other websites or services, they should change those passwords too.
In Singapore, Mr Nick FitzGerald, a senior research fellow with security software maker ESET Asia-Pacific, said it is likely that the accounts of most Yahoo users have been compromised, given the sheer scale of the data breach.
Yahoo users "should be overcautious about e-mails or communications arriving out of the blue, especially any that require you to validate details or hand over further information", he said. "They should also avoid clicking on links or downloading attachments from suspicious e-mails."
Users should also have different passwords for different websites. Mr Mohan Veloo, Asia-Pacific vice-president for technology at network security firm F5 Networks, said: "Most folk tend to use the same password in favour of convenience... and this elevates the risk of a breach."
He urged users to change their passwords every few months. "Breaches happen all the time. But one that is on such a massive scale, that went undetected for so long and has happened a few times, is definitely cause for concern," he said.
AGENCE FRANCE-PRESSE, NYTIMES
• Additional reporting by Lester Hio