The company said that certain account information was stolen from the company’s network in late 2014 in what it believes was a ‘state-sponsored actor’. It’s not known who that actor is, but Russia has been linked to several recent US hacks, reports The Daily Mail.
Yahoo said that account information affected could include names, email addresses, phone numbers, birthdays, hashed passwords and encrypted or unencrypted security questions and answers.
Yahoo has recommended that users change their passwords as soon as possible, and use alternate methods of account verification.
The firm said they would notify potentially affected users by email as well as post additional information to its website, calling on people to change their passwords promptly.
They added that stolen information did not include unprotected passwords, payment card data or bank account information.
A letter to users from Bob Lord, the Chief Information Security Officer, added that users should review their accounts for suspicious activity and avoid clicking on links from suspicious emails.
A statement added that an ‘ongoing investigation found no evidence that the state-sponsored actor is currently in Yahoo’s network.’
The hack, which was initially reported by the news website Recode, follows an August 1 story on the technology news site, Motherboard, which said a cyber criminal known as Peace was selling the data of about 200 million Yahoo users, but did not confirm its authenticity.
Peace was selling that data for just 3 bitcoin, or around $1,860, according to Motherboard.
Details that were possibly compromised include user names, birth dates, some backup email addresses and scrambled passwords, Motherboard said.
Gartner analyst Avivah Litan said before the breach was confirmed that all Yahoo users should assume their credentials were stolen and change their passwords.
Stolen passwords are valuable to cyber criminals, she said, because consumers often reuse passwords. Criminals use stolen credentials for so-called ‘credential stuffing’ attacks, which Litan said have surged over the past 18 months.
In such attacks, criminals use automated programs to cycle through stolen user IDs and passwords and log into personal accounts on sites such as banks, travel firms and online gaming firms.
While the average success rate is only one to two per cent, consumers stand to lose money, credit card data, frequent flyer points and cash stored on merchant wallets, she said.
The Motherboard report was published a week after Verizon announced its deal with Yahoo.
Share prices for Yahoo! Inc, which had risen through the day despite the rumors, immediately dropped upon the announcement of the hack, and were down 0.02 per cent on the day at $44.14.
It was not clear how such a disclosure might affect Yahoo’s plan to sell its email service and other core internet properties to Verizon Communications Inc for $4.8billion.
Shares of Verizon appeared to drop slightly after news of the announcement but as of 3pm EDT were up 1.07 per cent on the day.