Yahoo on Thursday announced that information associated with at least 500 million accounts was stolen in a security breach of its network in 2014, claiming a "state-sponsored actor" was behind the attack.
According to a statement released through Yahoo's official Tumblr page, the data leak includes names, email addresses, telephone numbers, dates of birth, passwords and security questions. Yahoo does not believe unprotected passwords, payment card or banking account information was stolen in the breach, as such data was not stored on the compromised system.
Yahoo stumbled upon the breach this summer while investigating a separate incident involving data stolen from the company's servers, The New York Times reports. At the time, hackers posted an alleged cache of Yahoo user data to underground forums and marketplaces. While Yahoo's findings were inconclusive, the investigation unearthed a 2014 breach claimed to have been executed by a state-sponsored actor, the report said.
Though Yahoo declined to name the country it believes was involved in the attack, the company said an ongoing investigation found no evidence that the person or persons are currently on its network.
In addition to its own internal investigation, Yahoo is cooperating with law enforcement agencies to resolve the matter.
"An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries," said Bob Lord, CISO at Yahoo. "Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."
Yahoo is in the process of notifying users who might be affected by the breach via email. Those impacted are urged to change their passwords and method of account verification. The company also suggests users who have not updated their password credentials since 2014 do the same. As a precaution, Yahoo invalidated unencrypted security questions and answers to deny unsolicited access into compromised accounts.
News of the security breach comes at a sensitive time for Yahoo, which is in the midst of being taken over by Verizon Communications in an acquisition worth $4.8 billion. The Times reports Verizon is still moving forward with the purchase, though what effect the breach might have on Yahoo's price is unclear.