A “state-sponsored” attacker stole information on half a billion users after hacking into Yahoo, in what is the world’s biggest ever data breach, the company has revealed.
Email addresses, names, dates of birth, phone numbers, security questions and encrypted passwords are reportedly among the data stolen. Although the cyber attack took place back in 2014, it has only just been announced publicly, and the FBI has said it is investigating.
However, Yahoo does not believe that credit card information or bank details were taken.
The tech company issued a statement saying that the information was “stolen by what we believe is a state-sponsored actor”, but gave no indication of who the current suspects were.
Indications of a potential hack first appeared last month, when “Peace”, a hacker, claimed to be selling details on as many as 200 million Yahoo accounts. This revelation could perhaps be the reason why the company finally revealed it had been subject to an attack, having – rather worryingly – waited two years to do so.
Users who have been affected by the breach have had their security questions invalidated by Yahoo, to prevent them from being used to gain access to the accounts.
Any users who have not changed their password since 2014 are being strongly encouraged to change them. Due to the sheer scale of the attack, it would even be good practice to change security questions and passwords across the different sites you use, due to it being very common for people to use the same logins across a range of sites, and therefore making it easier for hackers to target you successfully.
The news may still worsen for Yahoo. The sale of its core business to Verizon for $4.8bn was announced in July, but may now be in jeopardy, with Verizon telling the BBC that it only learnt about the hack this week.