After nearly two months of speculation, Yahoo at 2:28 p.m. ET on Sept. 22 confirmed what many had suspected—the company was the victim of a massive data breach.
The breach, which was initially alleged to affect 200 million accounts, in fact, impacted at least 500 million user accounts, according to Yahoo.
Additionally, the breach was first reported to have occurred in 2012, but Yahoo is now confirming that the breach actually happened in 2014. On Aug. 1, 2016, a hacker known as Peace first alleged that he had 200 million Yahoo user accounts gained from a breach and he was selling them for three Bitcoins, which is worth approximately $1,900.
At the time, Yahoo would only publicly state that it was investigating the claim. The initial phase of the investigation has now been completed.
“A recent investigation by Yahoo Inc. has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo’s press release states.
The stolen user account information includes names, email addresses, telephone numbers, dates of birth, passwords and account security questions. Yahoo stated that the passwords were hashed with the bcrypt algorithm. Bcrypt is a secure hashing algorithm, which aims to scramble passwords to make it more difficult for an attacker to be able to decipher.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” Yahoo stated in an FAQ on the breach.
Yahoo is also claiming that the state-sponsored attacker behind the breach is not still in the company’s network. The company is working with law enforcement to track down the perpetrators of the breach.
Yahoo recommends that users who haven’t changed their account passwords since 2014 do so immediately. The company is also in the process of notifying all the impacted users and has already taken several proactive steps to minimize risk. Among the steps taken is that security questions and answers used for password resets have been invalidated.
Yahoo is also warning users about potential phishing risks related to the breach and advising users not to click on links in emails.
“If the email you received about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information,” Yahoo’s FAQ states.
With the number of affected user accounts at more than 500 million, the Yahoo breach now stands alone as one of the largest ever confirmed. LinkedIn this year confirmed that it was the victim of a 2012 breach that affected 100 million users.
Yahoo actually had previously confirmed that it was also the victim of a breach in 2012 as a result of a SQL injection attack. That attack, however, only affected 450,000 Yahoo users.
Confirmation of the massive breach comes at a time of transition for Yahoo as the company is currently being acquired by Verizon for $4.38 billion. It’s unclear what, if any, impact the massive breach disclosure by Yahoo will have on the pending acquisition.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.