Yahoo Inc. on Thursday said the personal information in 500 million accounts was stolen in a security breakdown. The breach, the latest setback for the Internet company, dates back to late 2014.
The stolen data include users' names, email addresses, telephone numbers, dates of birth, passwords and security questions for verifying an account holder's identity. Yahoo is blaming the hack on a "state-sponsored actor."
"Yahoo is working closely with law enforcement on this matter," the company said in a statement. "Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry."
Yahoo recommended that users change their passwords if they haven't done so since 2014.
Technology news website Recode first reported Thursday morning that Yahoo was preparing to release information about the attack. The announcement comes just as Verizon Communications Inc. prepares to take over the ailing Internet company's core assets.
The break-in was "widespread and serious," the report in Recode said, citing several anonymous sources close to the situation.
Recode's sources did not provide specific details about the breach, but they said an investigation by federal authorities was imminent and that legal action tied to the attack was probable.
Such a revelation would confirm earlier reports that the same hacker who'd stolen data from LinkedIn is selling information from 200 million Yahoo accounts on the "dark Web," a part of the Internet accessible only through the use of special software such as the anonymous browsing tool Tor and often associated with illicit activities.
The data up for sale included user names, scrambled passwords and birth dates, Vice Media LLC's Motherboard blog reported in August, citing the cyberattacker, who went by the name Peace. Yahoo said at the time it was investigating the claim.
Many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been canceled. The sale of all of the data for just under $2,000 also suggested that the information itself was of little value, either because most of it was obsolete, made-up, or useless because the hackers had already attacked legitimate accounts and exhausted their need for the data.
Whatever the scale of the alleged breach, the hack shows the danger of large data sets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing or taking minimal action based on whatever data hackers tell them was taken.
LinkedIn said in May that it was investigating whether a breach of more than 6 million users' passwords in 2012 was bigger than originally thought after a hacker's attempt to sell what was purported to be login codes for 117 million accounts. The company said that it appeared more data were taken in the initial compromise and that the company was just learning about the larger amount through the hacker's posting.
Like many Internet companies that have been breached, LinkedIn only reset passwords of everyone it believed was part of the breach at the earlier time, which amounted to 6.5 million users.
Reports of the security breach come just as Yahoo Chief Executive Officer Marissa Mayer is about to close a deal that ends the once-dominant Internet firm's independence. Verizon is acquiring its Internet assets for $4.8 billion, bringing the web portal together with longtime rival AOL. The telecommunications company will pick up services that still draw 1 billion monthly users, including mail, news and sports content and financial tools.
Information for this article was contributed by Edwin Chan, Brian Womack and Jordan Robertson of Bloomberg News, Patrick May of The Mercury News and Andrea Peterson of The Washington Post.
Business on 09/23/2016