Yahoo! Inc. disclosed a second major security breach that may have affected more than 1 billion users, another blow to the company's reputation as it nears the sale of its main web businesses to Verizon Communications Inc.
The company said in a statement Wednesday that it hasn't been able to identify the "intrusion" associated with this theft by a third party in August 2013. The event was unearthed by forensic experts after law enforcement investigators warned the company about a potential breach. Yahoo has said it has about 1 billion users.
Yahoo said it believes the incident "is likely distinct" from the hack the company disclosed in September. The shares dropped as much as 2.6 percent in extended trading after the announcement.
In September, Yahoo said the personal information of at least 500 million users was stolen in a 2014 attack on its accounts, exposing data from a wide swath of its users ahead of the Verizon deal. The attacker was a "state-sponsored actor," and stolen information may have included names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, unencrypted security questions and answers, Yahoo has said.
For Chief Executive Officer Marissa Mayer, the new hacks could weaken Yahoo's reputation with users who have been using its services for years and further tarnish its credibility ahead of the Verizon deal. The lack of progress on the earlier breach, and the limited information provided to Verizon, caused misgivings inside the telecommunications company about the deal, people familiar with the matter told Bloomberg in October. Yahoo said last month the $4.8 billion sale of its web portal still is expected to close in the first quarter of next year.
"As we've said all along, we will evaluate the situation as Yahoo continues its investigation," Verizon said in an e-mailed statement. "We will review the impact of this new development before reaching any final conclusions."
If the investigation shows significant harm to the business and Yahoo customers, Verizon would consider options like reducing the deal price or walking away, a person familiar with the matter said Wednesday.
In the 2013 hack disclosed Wednesday, Yahoo said compromised user account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The company said it was notifying potentially affected users and had taken steps to secure their accounts.
In November, Yahoo gave an update to investors on its internal review of the hack, saying an independent board committee is investigating how many employees at Yahoo knew about the breach.
Yahoo also previously disclosed an investigation into the creation of forged cookies that could allow an intruder to access users' accounts without a password. As of now, the company believes an unauthorized party accessed the "code to learn how to forge cookies."
"Experts have identified user accounts for which they believe forged cookies were taken or used," the company said. "Yahoo is notifying the affected account holders, and has invalidated the forged cookies."