Yahoo has confirmed a data breach “associated with at least 500m user accounts.”
A statement from CISO Bob Lord said a copy of certain user account information was stolen in late 2014 by what Yahoo believes is a state-sponsored actor.
That account information potentially includes names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted and unencrypted security questions and answers. Yahoo said its investigation suggests the information did not include unprotected passwords, payment card data or bank account information as the latter are “not stored in the system that the investigation has found to be affected."
Yahoo also said the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network and Yahoo is working with law enforcement.
In the meantime, Yahoo said it is notifying potentially affected users and asking them to change their passwords and “adopt alternate means of account verification.” It is also asking users who haven’t changed their passwords since 2014 to do so now.
In addition, Yahoo said it invalidated unencrypted security questions and answers so they cannot be used to access an account and has requested users consider its authentication tool Yahoo Account Key.
This story is developing.