If you’re a Yahoo user, listen up: Information associated with at least 500 million accounts was stolen sometime in 2014, the company confirmed Thursday.
Yahoo suspects a state-sponsored actor was behind the crime, which CNN Money is characterizing as potentially “one of the largest cybersecurity breaches ever.”
In a statement, Yahoo says:
The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information.
Yahoo says it will send an email notification to people who were involved in the breach. Users will be asked to change their passwords. In addition, unencrypted security questions and answers have been invalidated.
If you have a Yahoo account and have not changed your password since 2014, Yahoo urges you to make such a change now.
Rumors of a Yahoo-related data breach have been floating around for some time. In fact, just prior to Yahoo’s announcement, Recode reported that the tech company was expected to soon confirm the data breach.
Initial reports of a suspected data breach emerged earlier this summer. According to this Aug. 1 story from Motherboard, a hacker known as Peace was selling Yahoo user data on the dark web marketplace for 3 bitcoins, or approximately $1,860.
Yahoo told Motherboard at that time that it was “aware of the [data breach] claim” and would investigate it.
The timing of the huge data breach couldn’t be worse for Yahoo, which is in the process of selling its email service and other core internet assets to Verizon for $4.8 billion.
“The scale of the liability could bring untold headaches to the new [Yahoo] owners,” says Recode.
Prior to Thursday’s announcement, Recode noted that Yahoo had not called for users to reset their passwords and if they did, “it will be a case of too little, too late.”
For its part, Yahoo offers the following tips to its users:
- Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Yahoo also urges users to start using Yahoo Account Key, an authentication tool that eliminates the need for a password.
Are you concerned about this data breach? Sound off below or on our Facebook page.