Yahoo has confirmed a large-scale data breach. Yahoo confirms 500 million accounts have been compromised by what it believes was a state-sponsored hack.
Names, email addresses, telephone numbers, and hashed passwords may have been stolen as part of the hack, which occurred in late 2014, Yahoo said.
The company reported the breach on Thursday after a stolen database from the company went on sale on the black market last month.
However, the hacker behind the sale claimed that the stolen database involved only 200 million users and was likely obtained in 2012.
It’s unclear if Thursday’s breach is connected. But Yahoo has been notifying affected users and asking them to change their passwords.
“We are recommending that all users who haven’t changed their passwords since 2014 do so,” the company said in a statement. It’s also asking that users review any suspicious activity related to their accounts.
Yahoo said it would notify users who may have been affected. Also, urged those who had not changed their Yahoo passwords since 2014 to do so.
The company also noted that they believed “unprotected passwords, payment card data, or bank account information; payment card data and bank account information” were not compromised in the hack.
Yahoo spokesperson said the company was aware of the claim. A “security team is working to determine the facts”.
Yahoo has previously had several issues with hackers and data breaches.
In 2015, hackers we able to hijack Yahoo’s ad network for a week, spreading malware via advertisements to millions of users.
Yahoo is taking following actions to protect users.
- Notifying potentially affected users. The content of the email Yahoo is sending to those users will be available at https://yahoo.com/security-notice-content beginning at 11:30 am (PDT).
- Asking potentially affected users to promptly change their passwords and adopt alternate means of account verification.
- Invalidated unencrypted security questions and answers so they cannot be used to access an account.
- Recommending that all users who haven’t changed their passwords since 2014 do so.
- Yahoo is working closely with law enforcement on this matter.