On Thursday afternoon, Yahoo announced in a press release that it “has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.” The tech company estimates that “information associated with at least 500 million user accounts” was compromised, though there’s “no evidence that the state-sponsored actor is currently in Yahoo’s network.” As is normally the case after these hacks are discovered, Yahoo is advising users to increase their account security, including using their text message-based authenticator instead of passwords.
The list of compromised information “may have included” things like names, email addresses, telephone numbers, dates of birth, encrypted passwords, “and, in some cases,” security questions and answers. The statement notes that the security questions and answers may be “encrypted or unencrypted,” which isn’t exactly helpful information, but thankfully, the hack does not appear to include “unprotected passwords, payment card data, or bank account information.”
The announcement comes almost two months after Motherboard initially reported that hackers were offering up “200 million” Yahoo accounts on the “dark web.” Yahoo didn’t confirm it until now, though. As of this writing, there have been no reports as to who the “state-sponsored actor” is, but it would appear to be code for Russia or maybe China based on other recent major hacks.