Yahoo officially admitted Thursday that data from at least 500 million user accounts has been stolen, confirming one of the largest security breaches ever after years of speculation via a statement on its website.
Yahoo confirmed that user account information was stolen from the companys network “in late 2014 by what it believes is a state-sponsored actor.” The company suggests the stolen information could include personal credentials such names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and even security questions and answers.
The ongoing investigation also revealed that unprotected passwords, payment card data and bank account information were not included in the stolen information, since that info isn’t stored in the affected system. Yahoo stated that the company is working with law enforcement to further investigate the matter and has found no evidence that the state-sponsored actor is currently in its network.
Verizon, the company that acquired Yahoo’s core business for $4.83 billion in July, released a statement saying that it had only learned of the breach “within the last two days,” according to USA Today.
“We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” Verizon said.
According to Motherboard, the hacker, a known cybercriminal by the name of peace_of_mind, listed user credentials for 200 million Yahoo accounts on TheRealDeal, a marketplace on the dark web.
The credentials, including usernames, passwords and personal information were posted on the site for a price of $1,800.
Discussions of hacked Yahoo Mail usernames occurred back in 2014, and Motherboard reported that Yahoo acknowledged it was investigating the current data breach in the spotlight in August of this year.
In an August email, a Yahoo spokesperson told Motherboard, “We are aware of a claim … We are committed to protecting the security of our users’ information and we take any such claim very seriously.
“Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”
Mashable reached out to Yahoo for comment and will update this article once we receive a response.
Additional reporting by Jason Abbruzzese.