The number of affected accounts was double the scope of an attack in 2014 that the internet company disclosed in September. News of that attack, which affected at least 500 million accounts, prompted Verizon Communication Inc to say in October that it might withdraw from an agreement to buy Yahoo’s core internet business for $4.83 billion.
Verizon said, “we will review the impact of this new development before reaching any final conclusions.”
“Yahoo badly screwed up,” Bruce Schneier, a cryptologist and one of the world’s most respected security experts, said after the internet company’s latest disclosure. “They weren’t taking security seriously and that’s now very clear. I would have trouble trusting Yahoo going forward.”
Yahoo said it believed the incident disclosed on Wednesday was likely distinct from the one it reported in September.
The company said it has not been able to identify the intrusion associated with the theft.
Yahoo said the stolen user account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Payment card data and bank account information were not stored in the system believed to be affected, the company said.
Yahoo, whose shares were down 2.4 percent to $39.91 in extended trading, said it is notifying potentially affected users and has taken steps to secure their accounts.
Verizon shares were little changed from their close of $51.63. (Reporting by Anya George Tharakan in Bengaluru; Editing by Savio D’Souza, Bernard Orr)