Yahoo has revealed it has suffered from two more incidents in which hackers stole information about more than one billion users.
The latest incidents are separate to a security breach the company disclosed on September 22, in which a state-sponsored actor stole a range of personal information on 500 million users.
Yahoo users were also among 272 million people who had their unencrypted unique usernames and passwords leaked in May, while a further 400,000 Yahoo Mail accounts compromised in a July 2012 breach.
The latest two breaches were revealed in a recent Yahoo blog post, along with an FAQ detailing what it currently knows about the situation.
In the first incident, law enforcement provided the company with data files that a third party claimed was data from its users.
As a result of analysis conducted by external forensic experts, Yahoo was able to confirm that the data associated with more than one billion user accounts was stolen in August 2013. However, the company is yet to uncover the specific breach that led to the data being exposed.
The stolen data includes names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and answers to security questions, but is not believed to include passwords in clear text, payment card data or bank account information.
In the second incident, revealed in the same blog post, the unnamed state-sponsored actor responsible for the September 22 breach is believed to have used forged cookies in order to access user accounts without a password.
Browser cookies are a small piece of data sent from a website such as Yahoo and stored on a user's computer to ‘remember’ information such as whether a particular user has previously logged into an online service using a particular account.
“Based on Yahoo’s ongoing investigation, we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies,” Yahoo said in its FAQ.
“The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. The company is notifying the affected account holders, and has invalidated the forged cookies.”
A Yahoo spokesperson declined to give details about how many Australians were affected.
"The incidents disclosed today had a global impact. We aren’t offering specificity with regard to impact on particular countries or regions," the spokesperson told BIT.
Yahoo is urging all of its readers to review all of their online accounts for suspicious activity and to change their passwords and security questions and answers for any other accounts on which they use the same login details as their Yahoo account.
The company is also urging users to be cautious of unsolicited emails asking for personal information, and to use its account key product to secure their accounts.
Another option is to switch to another email provider, of course.
To be fair, plenty of other online services have also been breached over the past few years. Sites such as Have I been pwned can tell you if any of your online accounts have been compromised.
It may be also helpful to revisit our guide on How to protect your email account.