Yahoo! has confirmed early this morning that half a billion user accounts have been compromised in a widescale data breach that first occured in late 2014.
The data breach first came to light in August, when a hacker called "Peace" began selling information on TheRealDeal dark web marketplace for around $2385 (3 Bitcoin). At the time, Yahoo! released a statement saying that their "security team [was] working to determine the facts" and that users should use different passwords for different accounts, or abandon passwords entirely through the Yahoo! Account Key app.
Around 200 million user accounts were believed to have been affected back then. A source told Recode before the official announcement that the breach was "worse" than that.
Early this morning, Yahoo! released this statement:
A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network. Yahoo is working closely with law enforcement on this matter.
Motherboard, which broke the original story, acquired around 5000 of the leaked records and reported that "most of the two dozen Yahoo! usernames tested by Motherboard did correspond to actual accounts on the service". They added that other addresses in the sample data they acquired, however, returned as undeliverable email addresses.
The sample data at the time contained hashed usernames, hashed passwords, dates of birth, and secondary email addresses in some instances, corroborating Yahoo!'s statement. The data was shown to Yahoo!, but Yahoo! did not confirm or deny the legitimacy of the data back then.
It comes at a bad time for Yahoo!, which is currently in the process of selling its core business to telecom giant Verizon for a reported $US4.8 billion. Yahoo! also added that state-sponsored hackers are increasingly responsible for "online intrusion and thefts" across the technology sector.