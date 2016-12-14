Hackers stole personal data on more than a billion Yahoo users in 2013, the struggling internet company said on Wednesday, in another blow to chief executive Marissa Mayer and her planned deal with Verizon.

The revelation of what is easily the world’s largest hacking attack comes after the summer’s disclosure of another intrusion in 2014 that affected 500m Yahoo accounts, which had already threatened to destabilise Verizon’s planned $4.8bn takeover of its core business.

The massive breach will raise new questions about whether Yahoo had put in place appropriate security controls and procedures to protect its users. Last month, Yahoo admitted that at least some staff knew that a state-sponsored hacker had accessed its network soon after the 2014 intrusion occurred, despite previously claiming that it only discovered it in August 2016.

After discovering this even bigger attack, Yahoo said it still did not know how hackers had obtained the stolen data, which affects the vast majority of its users.

Among the information taken were unencrypted security questions and answers, potentially arming hackers with personal details such as pets’ names, parents’ maiden names and memorable dates that they could use to access many other online accounts. Hackers could easily use the information to reset passwords and access users’ Yahoo accounts.

The company was first alerted to the 2013 theft by law enforcement, which presented it with data files that an unnamed group claimed had been taken from Yahoo users. Yahoo said it believed that this larger breach was “likely distinct” from the one it disclosed in September.

“Based on further analysis of this data by the forensic experts, Yahoo believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo said in a statement. “The company has not been able to identify the intrusion associated with this theft.”

Yahoo’s shares fell about 2.5 per cent in after-hours trading, as investors considered what the impact might be on the proposed buyout of its core internet business by Verizon. The deal was announced in July, two months before Yahoo revealed the 2014 hack.

In October, Verizon said it believed it had a “reasonable basis” to renegotiate or abort the deal, which has not yet closed, in light of what was until now one of the world’s largest security breaches.

In a statement that swiftly followed Yahoo’s announcement on Wednesday, Verizon said: “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”

Yahoo said the compromised data-set may include names, email addresses, telephone numbers and birth dates. It also included passwords that were scrambled using an encryption technology called MD5 and “in some cases, encrypted or unencrypted security questions and answers”. No bank details or credit cards were stolen, it added.

“Yahoo is notifying potentially affected users and has taken steps to secure their accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers so that they cannot be used to access an account,” the California-based company said.