Yahoo says at least 500 million accounts hacked, blames "state-sponsored actor"

Yahoo today confirmed that it suffered a massive data breach that exposed information for at least 500 million user accounts in 2014. If you have a Yahoo account, the company says you should review all your online accounts for any suspicious activity.

"The company was the victim of hacking that has exposed several hundred million user accounts," according to Recode's anonymously-sourced report, and government investigations and legal actions related to the breach are expected. Sources told Recode the hack was "widespread and serious."

Yahoo says the attacker is believed to be a "state-sponsored actor," and didn't specify which country might be implicated.

After Recode's report was released, Yahoo published a statement acknowledging the breach, and providing more details on its scope.

Exposed data included names, email addresses, telephone numbers, dates of birth and hashed passwords, and may *not* have included "unprotected" passwords, payment card data or bank account information.

A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter.

Word of a new and significant data breach involving the company first broke last month, but the confirmation from Yahoo and facts about how many accounts were impacted are big news today.

From Recode:

The announcement (…) also has possible larger implications for the $4.8 billion sale of Yahoo's core business — which is at the core of this hack — to Verizon. The scale of the liability could bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.

That deal is now moving to completion, but the companies cannot be integrated until it is approved by a number of regulatory agencies, as well as Yahoo shareholders. Representatives of Verizon and Yahoo started meeting recently to review the Yahoo business, so that the acquisition would run smoothly once complete.

But there's nothing smooth about this hack, said sources, which became known in August when an infamous cybercriminal named "Peace" claimed on a website that he was selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800. The data allegedly included user names, easily decrypted passwords and personal information like birth dates and other email addresses.

At the time, Yahoo said it was "aware of the claim," but the company declined to say if it was legitimate and said that it was investigating the information. But it did not issue a call for a password reset to users. Now, said sources, Yahoo might have to, although it will be a case of too little, too late.

"An Important Message to Yahoo Users on Security" []