On Thursday afternoon, Yahoo officially confirmed data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches in history.
In the statement, the recently-sold internet giant said it believes a “state-sponsored actor” — an individual acting on behalf of a government — was behind the massive data breach, which is believed to have occurred in 2014. The stolen data include names, email addresses, telephone numbers, birthdays, hashed passwords, and some “encrypted or unencrypted security questions and answers.”
Yahoo is urging users to review their accounts for suspicious activity. The company is also asking that all affected users change their password and security questions, and recommending that anyone who hasn’t done so since 2014 to take the same precautions.
Although the hack occurred in late 2014, Yahoo is just now addressing the issue after rumors of a large-scale breach began circulating in August when a hacker — who goes by the name “Peace”— claimed to be selling data from 200 million Yahoo users. According to CNN, the same hacker has previously claimed to sell stolen accounts from LinkedIn and MySpace. Yahoo initially said it was “aware of a claim” and was investigating the situation.
As confirmed today, it turns out the situation is far worse than Yahoo originally thought. With “at least” 500 million user account credentials being stolen, this latest hack may be the most disastrous breach of all time. Prior to Yahoo’s Thursday announcement, the largest hack to date was MySpace’s breach of 427 million user accounts which was confirmed earlier this year. With LinkedIn and Dropbox suffering similar fates this year as well — reportedly from the same hacker — it remains clear that, regardless of how far the internet has come, data security remains a particularly volatile problem.
The data breach comes at a particularly sensitive time for Yahoo, which was purchased by Verizon for $4.83 billion in late July, just days before the hack was first reported. Some shareholders reportedly fear that the mega-breach could change the price of the transaction and create a massive headache for both companies. The deal is expected to close in the first quarter of 2017.
Yahoo says that there is no evidence that the hacker still has access to Yahoo’s network or internal services.