Yahoo Inc. announced a massive data breach Thursday, capping a rough year of business for the tech giant and potentially jeopardizing the $4.8 billion sale of its core internet business to Verizon. "A state-sponsored actor" stole information from at least 500 million Yahoo accounts in late 2014, the company said in a statement advising its users to change their passwords and review personal accounts for any suspicious activity.
According to Yahoo, hackers were able to obtain a copy of certain users' account information, which may have included names, email addresses, telephone numbers, birth dates, hashed passwords, and — in some cases — encrypted or unencrypted security questions and answers. Although an investigation into the data breach is ongoing, Yahoo said it did not believe compromised information included unprotected passwords, payment card data, or bank account information as that is not stored in the system accessed by what the tech company is calling "a state-sponsored actor."
"Yahoo believes that information associated with at least 500 million user accounts was stolen," the company said in a statement released Thursday. "The investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter."
The company said it was in the process of notifying affected users and securing their accounts by invalidating any unencrypted security questions and answers, but advised all users still using a password they had in 2014 to change it. Yahoo also recommended users change their password and security questions and answers on other accounts if they were using the same or similar information as that in their Yahoo account.
"Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry," Yahoo said in its statement. The company directed users seeking to bolster security around their account to its new authentication feature, the Yahoo Account Key, which seeks to replace passwords with a cell phone notification system.
Rumors of a massive data breach at Yahoo first cropped up in August when a hacker by the name "Peace" listed 200 million Yahoo users' personal information (including user names, passwords, and birth dates) for sale. Yahoo said it was "aware" of the hacker's claim at the time, but refrained from acknowledging its legitimacy.