SAN FRANCISCO --Yahoo said hackers stole personal information from 500 million of its user accounts, a massive security breakdown it attributed to a "state sponsored actor." The breach disclosed Thursday, the latest setback for the beleaguered internet company, dates back to late 2014.
That's when high-tech thieves hacked into Yahoo's data centers, the company said. But Yahoo only recently discovered the break-in as part of an ongoing internal investigation.
The stolen data includes users' names, email addresses, telephone numbers, birth dates, hashed passwords, and the security questions - and answers - used to verify an accountholder's identity.
Last month, the tech site Motherboard reported that a hacker who uses the name "Peace" boasted that he had account information belonging to 200 million Yahoo users and was trying to sell the data on the web.
Yahoo recommends that users change their passwords if they haven't done so since 2014. The Sunnyvale, California, company said its investigation so far hasn't found any evidence that information about users' bank accounts or credit and debit cards were swiped in the hacking attack. It said it has "no evidence" that the attacker is still in Yahoo's network.
"While we have seen more and more data breaches in the private sector in recent years, many of them affecting millions of consumers, the seriousness of this breach at Yahoo is huge," said Sen. Mark Warner (D-Va.), a former technology executive, member of the Senate Intelligence and Banking Committees, and cofounder of the bipartisan Senate Cybersecurity Caucus. "While its scale puts it among the largest on record, I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today.
"Action from Congress to create a uniform data breach notification standard so that consumers are notified in a much more timely manner is long overdue, and I urge my colleagues to work together to pass this essential legislation," Warner added.
News of the security lapse could cause some people to have second thoughts about relying on Yahoo's services, raising a prickly issue for the company as it tries to sell its digital operations to Verizon Communications for $4.8 billion.
That deal, announced two months ago, isn't supposed to close until early next year. That leaves Verizon with wiggle room to renegotiate the purchase price or even back out if it believes the security breach will harm Yahoo's business. That could happen if users shun Yahoo or file lawsuits because they're incensed by the theft of their personal information.
Verizon said it still doesn't know enough about the Yahoo break-in to assess the potential consequences. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities," the company said in a statement.
Report a Typo