Yahoo revealed today that at least half a billion of its users were hacked in late 2014, probably by a state actor. The breach may have exposed users’ names, email addresses, phone numbers, birthdates, hashed passwords and encrypted or unencrypted security questions and answers, Yahoo said in a blog post. The breach did not include unprotected passwords, payment card data or bank account information, the company said.
“An increasingly connected world has come with increasingly sophisticated threats,” said the post by Yahoo’s chief information-security officer, Bob Lord. “Industry, government and users are constantly in the crosshairs of adversaries. Through strategic, proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Yahoo emailed affected users about the breach today, asking them to immediately change their passwords and use alternate ways to verify their accounts. It also invalidated unencrypted security questions and answers. The company advised all users to change their passwords and security Q&A’s if they haven’t done so since 2014 and said it is “working closely with law enforcement” on the breach.
Verizon Communications, which in July agreed to buy Yahoo’s operating business for $4.83 billion, said it was notified of the breach within the last two days. The telecommunications giant said in a statement that it had “limited information and understanding of the impact,” adding, “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”
The sale is — or was — expected to close by April 1.
