The user-account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases encrypted or unencrypted security questions and answers, according to Yahoo. The data was stolen from the company’s network in late 2014, Yahoo said. It didn’t identify the country it believed was behind the attack.
What the disclosure means for Verizon’s pending $4.8 billion deal to acquire the core web businesses of Yahoo is not immediately clear.
Verizon, in a statement, said it was notified of Yahoo’s security breach in the last two days. “We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact,” the telco said. “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”
The Yahoo announcement came after Vice’s Motherboard reported in August that a hacker known as “Peace,” who is believed to be a Russian cybercriminal, was advertising the sale of 200 million Yahoo user accounts in a black-market online forum for about $1,860 worth of Bitcoin. At the time, Yahoo said it was investigating the claims. Recode reported early Thursday that Yahoo was expected to confirm the data breach this week.
Yahoo said it was working with law-enforcement officials on investigating the incident. According to the company, based on what it has learned so far, none of the stolen information included unprotected passwords, payment-card data, or bank-account information.
“Yahoo is notifying potentially affected users and has taken steps to secure their accounts,” the company said. “These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.”
Yahoo, which reaches some 1 billion users around the world, has posted a frequently asked questions document on its website about the breach. The company also is encouraging users to use Account Key, an authentication tool for its email app that associates a Yahoo account with a specific device to eliminate the need for a password.
As part of responding to the incident, Yahoo has enlisted New York-based communications firm Joel Frank, which specializes in crisis PR.