Yahoo disclosed it was the target of a massive cybersecurity breach that exposed details of over 500 million users.
In a press release today (Sept. 22), Yahoo confirmed that it was the victim of a hack in late 2014. The company believes the hack—compromising names, email addresses, phone numbers, birth dates, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers—was carried out by a “state sponsored actor,” the release said. (Yahoo did not immediately respond to a request from Quartz for further information.) The internal investigation found that “unprotected passwords, payment card data, or bank account information” were not stolen.
The data breach first came to light in August this year, when hacker “Peace” alleged that almost 200 million Yahoo accounts were for sale on the dark web. Prior to the Yahoo attack, Peace was infamous for offloading hacked data from MySpace and LinkedIn. He had speculated that the hack took place in “2012 most likely.” At the time, Yahoo said it was reviewing the allegations.
The announcement comes while the company is in the midst of finalizing its $4.8 billion sale to Verizon. The telecom company was excited at the prospect of using Yahoo’s core assets to compete with giants like Google and Facebook in the online advertising space. Verizon said in a statement that it only learned about the breach within the last two days, and that it will “evaluate as the investigation continues.” Yahoo’s share price was flat on the day at the time of publication. The deal is slated to close in the first quarter of 2017.
Yahoo said it is working to secure the vulnerable accounts and coordinating with law enforcement. The company is in the process of notifying users who were possibly affected. In the meantime, it recommends that those who haven’t changed their passwords since 2014 do so immediately.
In May 2013, 22 million user IDs associated with Yahoo Japan—in which Yahoo had a 35% stake at the time—were leaked. During that hack, passwords and data necessary for identity verification to reset passwords were not compromised.