500 Million Yahoo Accounts Were Breached In 2014, So It's Really Time To Change Your Password

In some scary email news, Yahoo confirmed on Thursday that at least 500 million Yahoo user accounts had been hacked. In a press release, the company stated that copies of certain user info was stolen in 2014 by what it thinks was a "state sponsored-actor." According to the press release, some of the data affected includes "names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."

According to the release, Yahoo is working with law enforcement to determine who the "state-sponsored actor" might be. The press release also outlines information that was not affected by the breach:

The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.

The best thing for you to do right now? Change your password, especially if you haven't since 2014. Another good step to take is changing security questions and reviewing your account for suspicious activity. Yahoo said it was notifying users who were potentially affected by the breach and working to secure their accounts.

Earlier in the day, Recode reported that Yahoo was likely going to confirm a number of accounts had been reported. Previously, the number of affected accounts was estimated at 200 million. According to Recode, the hack was first brought to light in August, when a cybercriminal named "Peace" claimed that he or she was attempting to make $1,800 selling 200 million Yahoo user credentials on the dark web.

USA Today suggests users do not click on links of open attachments that look suspicious or claim to be Yahoo, because hackers often use large breaches like this for phishing opportunities. Overall, it's best to be wary of giving out your personal information if someone is asking for it via email in connection with the hack.