Yahoo has confirmed a massive data breach affecting at least 500 million accounts, in what may be one of the largest cyber–security attacks ever.
The company says names, email addresses, telephone numbers, dates of birth and passwords may have been stolen from its network in 2014 by what it believes was a “state sponsored actor”.
That means an individual working on behalf of a government.
It’s thought unprotected passwords, payment card data or bank account information had NOT been taken.
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said.
Yahoo said it was working with law enforcement on the matter.
A large–scale data breach was first rumoured a month ago when a hacker calling themselves “Peace” claimed to be selling data from 200 million Yahoo users online. The same hacker has previously claimed to sell stolen accounts from LinkedIn and MySpace.
At the time, Yahoo said it was aware of the situation and was investigating.
It is now in the process of notifying potentially affected users, telling them to change their passwords quickly and adopt alternate means of account verification.
Yahoo has invalidated unencrypted security answers and questions so they cannot be used to access an account.
It was not clear how this disclosure might affect Yahoo’s plan to sell its email service and other core internet properties to Verizon Communications.
Verizon said in July it would buy Yahoo’s core internet properties for $US4.83 billion ($A6.33 billion).
Verizon said on Thursday it was notified of the breach in the last two days.
“We will evaluate as the investigation continues through the lens of overall Verizon interests … Until then, we are not in position to further comment,” the company said.