Following rumors that an announcement was soon to come, Yahoo! said Thursday that hackers managed to access data from at least 500 million user accounts in a cyberattack dating back to 2014.
The company said hackers breached its network in late 2014 in what it believes was a state-sponsored attack.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo! said in its security notice.
In early August, a hacker claimed to possess 200 million Yahoo user accounts that he offered for sale on a dark web cybercrime marketplace for a just few Bitcoins.
The hacker, known online as “Peace” and “peace_of_mind” was selling usernames, easily crackable MD5 password hashes and dates of birth for 3 Bitcoin (roughly $1,800) on a website called TheRealDeal. The cybercriminal, who has an excellent reputation on TheRealDeal, has also sold hundreds of millions of accounts belonging to Tumblr, Myspace, VK and LinkedIn users.
Yahoo! is asking potentially affected users to change their passwords and adopt alternate means of account verification as soon as possible.
Unencrypted security questions and answers were also invalidated so they cannot be used to access a Yahoo! account.
Users who haven’t changed their passwords since 2014 should do so, Yahoo said.
The company also encouraged users to consider using Yahoo Account Key, which that eliminates the need to use a password completely.
The public disclosure of the breach comes shortly after Verizon agreed to acquired Yahoo’s core business for $4.8 billion.
“The Verizon purchase apparently comes with some ‘baggage’. The likelihood of this beach affecting the purchase is however, quite small,” Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS, told SecurityWeek.
Yahoo! previously confirmed suffering another breach in 2012. At the time, a group called D33ds Company gained access to more than 450,000 usernames and passwords after stealing a file from the Yahoo! Contributor Network.