In a statement posted to its investor relations site, Yahoo claims the massive hack was the act of a "state-sponsored" hacker and elaborates on the kind of data that party might have had access to.
"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," the statement reads. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."
That sensitive payment information wasn't among the data breached is cause for mild relief, and Yahoo believes the hacker no longer has access to the company's systems. The news originally broke over at Re/code, whose sources said that the hack was so large that it was likely to prompt a government investigation. While Yahoo has confirmed that it's working with law enforcement to figure out exactly what happened, there's currently no word on whether government agencies are planning to dig into things themselves.
There's also no official word on why Yahoo waited so long to publicly confirm widespread reports on the breach. We could easily hazard a few guesses, though. The most obvious: Yahoo is currently selling itself to (Engadget's parent company's parent company) Verizon, and any negative consequences could harm the deal before it officially closes in early 2017. Verizon, for what it's worth, was only brought into the loop two days ago -- a Verizon spokesperson said in a separate statement on Twitter that the company has only "limited information and understanding of the impact."
Yahoo's admission could also spell trouble for beleaguered CEO Marissa Mayer -- though she has said that she plans to stay with Yahoo even as it becomes a Verizon subsidiary, the questionable handling of this breach seems like yet another in a long line of crucial missteps for both CEO and company.
Chris Velazco contributed to this story.