Following rumors that an announcement was soon to come, Yahoo! said Thursday that hackers managed to access data from at least 500 million user accounts in a cyberattack dating back to 2014.
The company said hackers breached its network in late 2014 in what it believes was a state-sponsored attack.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo! said in its security notice.
In early August, a hacker claimed to possess 200 million Yahoo user accounts that he offered for sale on a dark web cybercrime marketplace for a just few Bitcoins.
The hacker, known online as “Peace” and “peace_of_mind” was selling usernames, easily crackable MD5 password hashes and dates of birth for 3 Bitcoin (roughly $1,800) on a website called TheRealDeal. The cybercriminal, who has an excellent reputation on TheRealDeal, has also sold hundreds of millions of accounts belonging to Tumblr, Myspace, VK and LinkedIn users.
Yahoo! is asking potentially affected users to change their passwords and adopt alternate means of account verification as soon as possible.
Unencrypted security questions and answers were also invalidated so they cannot be used to access a Yahoo! account.
Users who haven’t changed their passwords since 2014 should do so, Yahoo said.
The company also encouraged users to consider using Yahoo Account Key, which that eliminates the need to use a password completely.
The public disclosure of the breach comes shortly after Verizon agreed to acquired Yahoo’s core business for $4.8 billion.
“The Verizon purchase apparently comes with some ‘baggage’. The likelihood of this beach affecting the purchase is however, quite small,” Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS, told SecurityWeek.
Yahoo! previously confirmed suffering another breach in 2012. At the time, a group called D33ds Company gained access to more than 450,000 usernames and passwords after stealing a file from the Yahoo! Contributor Network.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
- NetRise Adds $8 Million in Funding to Grow XIoT Security Platform
- Virtual Event Today: Zero Trust Strategies Summit
- Virtual Event Tomorrow: Zero Trust Strategies Summit
- Watch: How to Build Resilience Against Emerging Cyber Threats
- Video: How to Build Resilience Against Emerging Cyber Threats
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
Latest News
- Dozens of Malicious Extensions Found in Chrome Web Store
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
- Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards
- SBOMs – Software Supply Chain Security’s Future or Fantasy?
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
