1. News
  2. Privacy

Yahoo confirms massive data breach of 500 million accounts

'State-sponsored actor' suspected, users asked to change passwords

Yahoo's influence has been waning in recent years, but it has leaped into the forefront of data breaches with today's revelation that 500 million user accounts have been compromised.

User information including name, email address, telephone number, date of birth, passwords, and, in some cases, security questions and answers were stolen from Yahoo in late 2014, the company said today, adding it suspects a "state-sponsored actor" was behind the massive incursion.

"Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo  account," the company said. "The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information."

Yahoo also suggested consumers use Yahoo Account Key, an authentication tool that eliminates the need to use a password altogether.

No payment data

Stolen information did not include payment card data, or bank account information, Yahoo said. Payment card data and bank account information are not stored in the system that the investigation has found to be affected. 

Yahoo said it was notifying potentially affected users. 

Verizon agreed to buy the struggling internet company for $4.8 billion in July, as part of its strategy to add compelling content to its wireless services. It also bought AOL, including The Huffington Post, earlier.

Critics were quick to pronounce the breach a disaster for the rapidly fading giant.

“Yahoo may very well be facing an existential crisis. Already besieged by business execution issues and enduring a fire sale to Verizon, this may be the straw that breaks the camel’s back," said Corey Williams, senior director of products and marketing at Centrify, an internet security company. "Since this breach occurred in 2014, it wasn’t properly communicated or handled, and it may very well give Verizon an 'out' or a reason to renegotiate."

Williams said the incident was "less of a story about ... passwords being exposed and more about how lax security and poor handling of incidents can impact the very existence of a company."

Take an Identity Theft Quiz. Get matched with an Authorized Partner.