By Robert McMillan, Ryan Knutson and Deepa Seetharaman
Yahoo Inc. said a newly discovered data breach affected more than a billion users, dwarfing the scope of another recently disclosed hack and raising fresh questions whether Verizon Communications Inc. will follow through with its acquisition of the internet company.
The newly revealed theft, which Yahoo said happened in 2013, is separate and twice as large as the hack from 2014 that Yahoo disclosed earlier this year. That previous hack was billed as likely the largest-ever theft of personal data.
Yahoo said Wednesday unidentified hackers penetrated its network in August 2013 and stole data including names, email addresses, telephone numbers, dates of birth and passwords. The company believes the incident is distinct from the 2014 one disclosed in September, and that the hackers involved are no longer in its corporate network.
The latest disclosure further tarnishes Yahoo's reputation and could jeopardize Verizon's $4.83 billion acquisition of the core internet business, a deal that was announced on July 27 and was expected to close in early 2017. In October, Verizon signaled it could consider the 2014 breach a material event that could allow the company to change the terms of the acquisition.
The two sides were discussing the impact of that first data breach when the second was discovered. The telecom company learned of the latest breach in the past few weeks, a person familiar with the matter said. The company still has all options on the table, including renegotiating the deal's price or walking away, the person said.
"We will evaluate the situation as Yahoo continues its investigation," Verizon said Wednesday. "We will review the impact of this new development before reaching any final conclusions."
A spokesman said Yahoo is confident in the company's value and is continuing with its integration plans. "We have been in communication with Verizon leadership throughout the investigation," he said.
Verizon had been negotiating with Yahoo over how much liability the remaining Yahoo company would shoulder for future liabilities associated with the 2014 hack, people familiar with the matter said. Verizon wasn't trying to reduce the purchase price of Yahoo because the cost of future liabilities -- if any -- is unknown, the people said, therefore asking for a price discount would effectively be a bet.
The sides were close to an agreement, the people familiar said, but that has been derailed after the discovery of this latest, larger breach. Now, Verizon will again wait to see how much the hack affects the number of users or the overall value of the company.
Yahoo's assets, which include websites such as Yahoo Finance, Sports and News, still make strategic sense for Verizon, one of the people said. If Verizon finds that the overall value of Yahoo hasn't changed, then the issue could be resolved by simply splitting future liabilities.
Yahoo isn't sure how many records in total were taken during the two incidents, because a subset of the 1 billion stolen in 2013 were likely also taken in 2014, the company spokesman said. Yahoo learned of the 2013 breach in November when law enforcement provided the company with "data files that a third party claimed was Yahoo data."
The 2014 break-in was done by a state-sponsored actor, Yahoo has said, but it isn't clear who was behind the 2013 incident.
In September, The Wall Street Journal reported that criminals were selling access to a database of user accounts and that portions of that database had been obtained by the security research firm InfoArmor Inc.
In early November, InfoArmor handed over tens of millions of these record to the Federal Bureau of Investigation, the company said Tuesday.
Now Yahoo's users are again being urged to review all of their online accounts and to change their passwords and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account.
It also recommended users avoid clicking links or downloading attachments from suspicious emails and remain cautious of unsolicited communication asking for personal information.
Separately, Yahoo, which had previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password, said Wednesday it believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies.
Yahoo is notifying affected account holders, and has invalidated the forged cookies.
Shares in the company lost more than 2% after hours to $39.91.
---Anne Steele contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com, Ryan Knutson at firstname.lastname@example.org and Deepa Seetharaman at Deepa.Seetharaman@wsj.com
(END) Dow Jones Newswires
December 14, 2016 19:45 ET (00:45 GMT)
Copyright (c) 2016 Dow Jones & Company, Inc.