Yahoo says information from at least 500 million user accounts was stolen in hack

The internet company believes a "state-sponsored actor" was to blame for the hack

Yahoo says information from at least 500 million user accounts was stolen in hack

Image: Marcio Jose Sanchez / AP/Press Association Images

Yahoo says information from at least 500 million user accounts was stolen in a hack.

The data was taken in 2014 and may have included names, email addresses and dates of birth.

However, the firm says it might not have included unprotected passwords, payment card information or bank account details.

The company thinks what it describes as a "state-sponsored actor" was to blame.

"Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account," the company said in a press release.

According to Yahoo, "online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry".

It adds: "Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo’s program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice."

Alex Holden, founder of Hold Security, which has been tracking the flow of stolen Yahoo credentials on the underground web, told the New York Times that the attack is "one of the biggest breaches of people's privacy and very far reaching".

He added: "The stolen Yahoo data is critical because it not only leads to a single system but to users' connections to their banks, social media profiles, other financial services and users' friends and family."

It is not clear how the news will affect Yahoo's plans to sell its email service and other core internet properties to Verizon Communications.
The $4.8bn deal was announced in July but Verizon has said it was only told of the data breach in the last two days.

In a statement, Verizon said: "We will evaluate as the investigation continues through the lens of overall Verizon interests... Until then, we are not in position to further comment."

The deal is expected to close in the first quarter of next year, which may give them some room to renegotiate the purchase price or even to walk away.