Yahoo has revealed that hackers stole data from more than a billion user accounts in August 2013, in what is believed to be one of the biggest data breaches in history.
The internet company confirmed personal information such as names, email addresses, telephone numbers and birthdates were exposed by what it believes was an “unauthorised third party” attack.
Passwords, and in some cases encrypted or unencrypted security questions and answers, may have also been taken.
It’s the second security breach revealed by the company in recent months, following its announcement in September that data from 500 million accounts was stolen in 2014.
The new breach is believed to be distinct from the previous incident, amounting to more than 1.5 billion hacked emails in the past three years.
And while Yahoo said the stolen information did not include payment card data or bank account information, cyber security experts believe otherwise.
eVestigator computer forensic expert Simon Smith said some Yahoo users may have already experienced online fraud due to the period of time since the hacks – telling users to delete their accounts.
“Every user of Yahoo is essentially blind because they don’t know what has happened to their accounts in the last three years,” Mr Smith told The New Daily.
“They don’t know what the cause is, all they know is any potential cyber security issue or online fraud in the last three years is attributable to Yahoo.
“I would strongly suggest Yahoo users delete their account and find a different provider that is more secure.”
RMIT University information security expert Professor Asha Rao also said people often send their bank account information to friends and family via email, exposing users.
“The whole idea of hacking an account is that they can harvest any bank details within the account, find out if your password has been used elsewhere and your email list for spamming,” Professor Rao told The New Daily.
“People tend to send this information out, and if you are not careful and you do that, you just open yourself up to other attacks.”
Time to take care
Yahoo has told users to change their password and security questions immediately.
It also suggested users change their security information for other accounts with the same password to reduce the risk of being exposed elsewhere.
The company urged users to be wary of any unsolicited communications that ask for personal information or refer them to a web page asking for personal information.
Users were told to also avoid clicking on links or downloading attachments from suspicious emails.
Non-Yahoo users warned
Yahoo users are not the only ones exposed in the historic hack, as experts warned non-Yahoo emails are also at risk.
“This is bad for those hacked as well as other people you know,” Professor Rao said.
“If they have hacked your account and you have a large email contact list it could be then used to send out emails to these people.”
She said this is more dangerous to other users than simple malware, as emails from known addresses could result in more affected accounts.
Professor Rao used the example of a friend telling them they are stuck somewhere and asking for money, warning users who receive a suspicious email to speak to the person offline first.