A “state-sponsored actor” stole personal data from at least 500 million Yahoo user accounts, the troubled tech company said Thursday.
The pilfered data contains a wealth of personal information, including “names, email addresses, telephone numbers, dates of birth, hashed passwords […] and, in some cases, encrypted or unencrypted security questions and answers,” Bob Lord, Yahoo’s chief information security officer, said in a statement.
The hacker (or hackers) do not appear to have obtained data about users’ credit cards or bank accounts, Lord noted, which he said are stored on a separate system.
Yahoo believes the data was stolen in “late 2014.” It’s unclear when the company first became aware of the breach; a pseudonymous hacker first publicly offered to sell Yahoo data last month. The Wall Street Journal has more:
No evidence has been found to suggest the state-sponsored actor is currently in Yahoo’s network, and Yahoo didn’t name the country it suspected was involved. In August, a hacker called “Peace” appeared in online forums, offering to sell 200 million of the company’s usernames and passwords for about $1,900 in total. Peace had previously sold data taken from breaches at Myspace and LinkedIn Corp.
A Yahoo spokesman said at the time that the company was aware of the claim and was “working to determine the facts.”
In 2012, Yahoo had more than 1 billion user accounts in its databases. User passwords were protected via a cryptographic algorithm called MD5, which can be cracked using the latest password-breaking techniques, said a source familiar with the situation.
Disclosure of the breach comes two months after Yahoo, once among the most powerful tech companies in Silicon Valley, said it would sell its core internet business to telecom giant Verizon for $4.8 billion. It’s unclear how the hack could affect the yet-to-be-finalized sale. Verizon said Thursday it learned of the breach “within the last two days” but that it had few details.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders, and related communities,” the company said in a statement. “Until then, we are not in position to further comment.”