Yahoo! Inc. said the personal information of at least 500 million users was stolen in an attack on its accounts in 2014, exposing half of its roughly 1 billion users ahead of Verizon Communications Inc.’s planned acquisition of the web portal’s assets.
The attacker was a “state-sponsored actor,” and stolen information may include names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and possibly security questions and answers, Yahoo said Thursday in a statement. The continuing investigation doesn’t indicate the theft of payment data or bank account information, or unprotected passwords, the company said. Affected users are being notified and their accounts are being secured, it also said.
The disclosure of the data theft comes at a particularly sensitive time for Chief Executive Officer Marissa Mayer, as she navigates the company toward a planned $4.8 billion acquisition by Verizon, set to close by early next year. Mayer, who has dealt withdifficulties and complaints about Yahoo’s e-mail service in the past, needs to keep users logging in to drive traffic and draw the advertising that fuels the company’s revenue growth, which has been sluggish under her leadership.
“Yahoo is working closely with law enforcement on this matter,” the company said in the statement. “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.”
The confirmation that accounts were compromised came almost two months after the company said it was investigating claims that a hacker was offering to sell user account details stolen in a data breach. The same hacker who previously sold data taken from LinkedIn and MySpace has posted information from 200 million Yahoo accounts on a dark web marketplace, Motherboard reported in early August. The stolen information being offered was most likely from 2012, Motherboard reported, citing the hacker, who uses the name Peace.
It’s worth noting, though, that many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been canceled. The sale of all of the data for just under $2,000 also suggested that the information was of little value, either because most of it was obsolete, made-up, or useless because the hackers had already attacked legitimate accounts and exhausted their need for the data.
While the breach is a blow to Yahoo in particular, more broadly it underscores the danger of large datasets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing or with them only taking minimal action based on whatever data hackers tell them was taken.