Yahoo has confirmed that account information of an estimated 500 million users was stolen from the company's network in late 2014. The company believes that the data breach was carried out by a "state-sponsored actor", but its investigation has found that no such agent is currently in its network, Yahoo said in a blog post on Thursday.
"An increasingly connected world has come with increasingly sophisticated threats. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure," Yahoo said.
The information stolen may have included names, email addresses, phone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and encrypted or unencrypted security questions and answers in some cases, according to the blog post. However, their investigation did confirm that no details of payment card data or banking-related information were stolen as this data is "not stored in the system that the investigation has found to be affected".
Yahoo said it is "working closely with law enforcement on this matter" and is taking steps to protect user information and "detect and prevent unauthorised access to user accounts. Users are being urged to change their passwords and security questions at the earliest and "adopt alternate means" to verify their accounts. The company has also encouraged users to opt for the Yahoo Account Key that does away with the need to use a password altogether.
Some believe this data breach may potentially affect its pending deal worth $4.8 billion (approximately Rs 32,000 crore) with Verizon. The United States-based telecom major was set to buy out Yahoo's real estate holdings, while Yahoo would keep its stakes in Alibaba Group Holding Ltd, Yahoo Japan Corp, as well as some patents, which are worth $40 billion (Rs 2.6 lakh crore) in total.