

NEW YORK CITY (dpa-AFX) - ahoo! Inc. (YHOO) disclosed another major security breach that may have affected more than 1 billion user accounts, another blow to the company's reputation as it nears the sale of its main web businesses to Verizon Communications Inc.(VZ)



Yahoo said Wednesday that it hasn't been able to identify the 'intrusion' associated with this theft by a third party in August 2013. The event was unearthed by forensic experts after law enforcement investigators warned the company about a potential breach.



Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016.



In September, Yahoo said the personal information of at least 500 million accounts was stolen in a 2014 attack on its accounts. The attacker was a 'state-sponsored actor,' and stolen information may have included names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and, in some cases, unencrypted security questions and answers, Yahoo said.



In November, Yahoo gave an update to investors on its internal review of the hack, saying an independent board committee is investigating how many employees at Yahoo knew about the breach.



Yahoo said last month the $4.8 billion sale of its web portal still is expected to close in the first quarter of next year.



'As we've said all along, we will evaluate the situation as Yahoo continues its investigation,' Verizon said. 'We will review the impact of this new development before reaching any final conclusions.'



If the investigation shows significant harm to the business and Yahoo customers, Verizon would consider options like reducing the deal price or walking away, reports said Wednesday citing people familiar with the matter. The acquisition still makes strategic sense for Verizon.



In the 2013 hack disclosed Wednesday, Yahoo said the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected.



Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account.



Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookieswere taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies. The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.



Yahoo recommended using 'Yahoo Account Key', a simple authentication tool that eliminates the need to use a password on Yahoo altogether.



