Yahoo just revealed that in August 2013, someone stole data linked to more than one billion accounts. Back in September, the company announced a 2014 security breach affecting some 500 million users, however, it believes these two incidents are "likely distinct." Additionally, the company says that it believes the same hackers from the 2014 breach dug into its code and figured out how to forge cookies to target specific accounts. It has invalidated the forged cookies and notified holders of the accounts they were used to access in 2015 or 2016.
Need a spreadsheet or a chart to keep track of all the ways your Yahoo account info is probably floating around right now? There is an FAQ to try and help users figure out what has been stolen, when and how they might be affected.
Still, the massive size of this breach means that for Yahoo users information including "names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers" is potentially out there. The company is reaching out to potentially affected users, so there should be a message coming your way soon, while the security questions and answers have been invalidated. Of course, if you've used the same information for a security answer somewhere else, then whoever has it could use those answers against you -- change them.
Yahoo's ongoing security investigation and users left scrambling to reset passwords and security questions (again) is just one part of the puzzle. It's unclear how these new revelations affect its $4.83 billion acquisition by (Engadget and AOL parent company) Verizon. Previous reports indicated the carrier could be looking for a discount or way out of the deal altogether, and this bad news probably won't help.