Yahoo! Inc. said the personal information of at least 500 million users was stolen in an attack on its accounts in 2014, exposing half of its roughly 1 billion users ahead of Verizon Communications Inc.’s planned acquisition of the web portal’s assets.
The attacker was a “state-sponsored actor,” and stolen information may include names, e-mail addresses, phone numbers, dates of birth, encrypted passwords and possibly security questions and answers, Yahoo said Thursday in a statement. The continuing investigation doesn’t indicate the theft of payment data or bank account information, or unprotected passwords, the company said. Affected users are being notified and their accounts are being secured, it also said.
The disclosure of the data theft comes at a particularly sensitive time for Chief Executive Officer Marissa Mayer, as she navigates the company toward a planned $4.8 billion acquisition by Verizon, set to close by early next year. Mayer, who has dealt with
“Yahoo is working closely with law enforcement on this matter,” the company said in the statement. “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.”
The confirmation that accounts were compromised came almost two months after the company
It’s worth noting, though, that many of the stolen accounts in a sample of data obtained by Motherboard were no longer in use and had been canceled. The sale of all of the data for just under $2,000 also suggested that the information was of little value, either because most of it was obsolete, made-up, or useless because the hackers had already attacked legitimate accounts and exhausted their need for the data.
While the breach is a blow to Yahoo in particular, more broadly it underscores the danger of large datasets spilling into the hacker underground and being used for criminal purposes for years without the breached companies knowing or with them only taking minimal action based on whatever data hackers tell them was taken.