UPDATE Oct 3, 2017: Yahoo has updated its estimates—now reports that “all accounts that existed at the time of the August 2013 theft were likely affected.”

Just a few months after Yahoo confirmed a massive data breach impacting half a billion users, the company today disclosed a second major breach of its systems affecting over a billion users. In a statement published on Wednesday, Yahoo’s chief information security officer, Bob Lord, says: “Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.”

— Data breach reported to have included “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

— Stolen data also includes government employee information, Jordan Robertson reporting in Bloomberg: “More than 150,000 U.S. government and military employees are among the victims of Yahoo! Inc.‘s newly disclosed data breach… The government accounts belong to current and former White House staff, U.S. congressmen and their aides, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the Office of the Director of National Intelligence, and each branch of the U.S. military. The list includes an FBI division chief and multiple special agents working around the U.S.; current and former diplomats in Pakistan, Syria and South Africa; a network administrator at NSA’s Fort Meade headquarters; the chief of an Air Force intelligence group; and a human resources manager for the CIA.”

— “Lord said the attackers had worked out a way to forge ‘cookies’ that Yahoo places on user computers when they log in,” writes Brian Krebs. “The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password. In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.”

— Yahoo says affected users are being notified and is taking steps to secure their accounts, including requiring users to change their passwords. More from the statement: “We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account. With respect to the cookie forging activity, we invalidated the forged cookies and hardened our systems to secure them against similar attacks. We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”