Yahoo has announced details of a massive data breach, in which "information associated with at least 500 million user accounts was stolen".
The company said today that the data was stolen from its network in late 2014, and blamed the action on an unnamed "state-sponsored actor". It said in a press release that it had confirmed the circumstances of the breach as part of "a recent investigation", but it's unclear why it took the company two years to ascertain and disclose full details of the incident.
Yahoo said that its investigation is "ongoing", but so far, it believes that the stolen data "did not include unprotected passwords, payment card data, or bank account information", which are stored on a separate system that was apparently unaffected by the breach.
However, a considerable amount of personal data related to half a billion Yahoo users was compromised, including:
- Email addresses
- Telephone numbers
- Dates of birth
- Hashed passwords ("the vast majority with bcrypt")
- Encrypted or unencrypted security questions and answers
Yahoo says that it is now "taking action to protect our users":
- We are notifying potentially affected users. The content of the email Yahoo is sending to those users will be available at https://yahoo.com/security-notice-content beginning at 11:30 am (PDT).
- We are asking potentially affected users to promptly change their passwords and adopt alternate means of account verification.
- We invalidated unencrypted security questions and answers so they cannot be used to access an account.
- We are recommending that all users who haven’t changed their passwords since 2014 do so.
- We continue to enhance our systems that detect and prevent unauthorized access to user accounts.
- We are working closely with law enforcement on this matter.
There were indications last month that Yahoo was preparing to confirm a breach relating to as many as 200 million accounts, but today's announcement establishes the 2014 breach as one of the most serious such incidents to date.
In July, Yahoo announced that it had agreed terms to sell its core business to Verizon in a deal worth $4.83 billion.