Information from at least 500 million Yahoo accounts was stolen from the company in 2014, the company said Thursday, indicating it believes a state-sponsored actor was behind the hack the Sunnyvale, California-based company confirmed.
The theft may have included names, email addresses, telephone numbers, dates of birth, and in some cases, encrypted or unencrypted security questions and answers, Yahoo said.
The company is investigating the breach with law enforcement but currently believes that credit card or bank details were not included in the stolen data.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” said the company in a statement.
Yahoo is notifying users who may have been affected and says that anyone who has not changed their Yahoo passwords since 2014 should do so. The company has also invalidated affected users’ security questions so that they can’t be used to access accounts.
“Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account,” said the company.
Nevertheless, the news may jeopardise the $4.8bn sale of Yahoo’s core business to Verizon, announced in July.