Yahoo today revealed it had recently identified a new system breach that occurred in August 2013 and involved data associated with more than one billion user accounts.
The company said it believed the incident was separate from the breach it disclosed in September, when information associated with at least 500 million user accounts was stolen from its network in 2014.
Yahoo, which is being acquired by Verizon, said an unauthorized third party had stolen the data in the latest breach, and that it was working closely with law enforcement.
“We have not been able to identify the intrusion associated with this theft,” CISO Bob Lord said in a statement.
The company said the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
“The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information,” Lord said.
“Payment card data and bank account information are not stored in the system the company believes was affected.”
It is urging Yahoo users to change their passwords, and has invalidated unencrypted security questions and answers so they can’t be used to access an account.