By Joseph D. McClendon
Yahoo, fresh off its September 2016 announcement of a 2014 cyber attack that breached 500 million user accounts, announced on December 14 that there is evidence of a second data breach, which affects twice as many user accounts than the initial 2014 breach.
The beleaguered search engine company disclosed that an internal investigation has uncovered a second data breach dating back to 2013, where cyber criminals were able to steal an estimated 1 billion end user names, email addresses, telephone numbers, and dates of birth. The cyber criminals also stole hashed passwords as well as security questions and answers, some of which may have not been encrypted. Yahoo has not offered any information on why some account recovery questions and answers were encrypted, while others were not. The company does not believe financial data was stolen in the breach.
Yahoo is still in negotiations with Verizon for the $4.8 billion acquisition of Yahoo; however, the announcement of this data breach will affect the deal if Yahoo’s valuation decreases.
For advice and guidance on how you can better protect consumer data, please contact the author or a member of Polsinelli’s Privacy and Data Security practice.
Summary and Takeaways
- Collect and store only the data you need
- Embrace the principal of least privilege
- Follow your breach plan to stay ahead of the breach
- Use industry best security practices