The company employed investigators to confirm that the information belonged to their users, and said the hack is “likely distinct” from a similar incident in September 2016. Telephone numbers, birth dates, email addresses as well as security questions and answers, may have been compromised. There is no indication currently that debit, credit card or bank account information was stolen, as that data is not stored in the area of their network that was affected.
Yahoo’s chief information security officer, Bob Lord, wrote in a statement, "We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords. We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account. With respect to the cookie forging activity, we invalidated the forged cookies and hardened our systems to secure them against similar attacks. We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts."
The company has a separate ongoing investigation into the use of forged cookies, whereby hackers could access accounts without a password. Based on company findings it is believed that an unauthorized third party was able to obtain the site’s proprietary code as means to fabricate the cookies. Yahoo believes this is related to the September 2016 data theft.
In the September incident, Yahoo said a "state-sponsored actor" was responsible for the theft of data from 500 million user accounts.
Lord said, in a statement at the time, "An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."