Yahoo confirms over 500 million users affected in 2014 breach

And it's blaming a "state-sponsored" hacker.


Yahoo has confirmed reports that it was the victim of a major hack in late 2014, which has led to some 500 million user accounts being compromised. The story first broke way back in August when a hacker known as Peace was promising to sell 200 million usernames, passwords, birthdates and email addresses for less than $2,000. At the time, Yahoo had refused to confirm or deny if the attack was legitimate to users, a delay which has given nefarious types almost two months head start on their prey.

In a statement posted to its investor relations site, Yahoo claims the massive hack was the act of a "state-sponsored" hacker and elaborates on the kind of data that party might have had access to.

"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," the statement reads. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."

That sensitive payment information wasn't among the data breached is cause for mild relief, and Yahoo believes the hacker no longer has access to the company's systems. The news originally broke over at Re/code, whose sources said that the hack was so large that it was likely to prompt a government investigation. While Yahoo has confirmed that it's working with law enforcement to figure out exactly what happened, there's currently no word on whether government agencies are planning to dig into things themselves.

There's also no official word on why Yahoo waited so long to publicly confirm widespread reports on the breach. We could easily hazard a few guesses, though. The most obvious: Yahoo is currently selling itself to (Engadget's parent company's parent company) Verizon, and any negative consequences could harm the deal before it officially closes in early 2017. Verizon, for what it's worth, was only brought into the loop two days ago -- a Verizon spokesperson said in a separate statement on Twitter that the company has only "limited information and understanding of the impact."

Yahoo's admission could also spell trouble for beleaguered CEO Marissa Mayer -- though she has said that she plans to stay with Yahoo even as it becomes a Verizon subsidiary, the questionable handling of this breach seems like yet another in a long line of crucial missteps for both CEO and company.

Chris Velazco contributed to this story.