Internet giant Yahoo has admitted a data breach that involved the theft of information from at least 500 million user accounts.
The company said on Thursday that it believed a “state-sponsored actor” stole information including names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.
An investigation is still continuing into the breach, which Yahoo said happened in late 2014.
The company said that the stolen information did not include unprotected passwords, payment card data, or bank account information, which is not stored in the system that was targeted.
A statement released by Yahoo added: “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
Yahoo said it is notifying any potentially affected users and asking any users that have not changed their passwords in the last two years to do so.
A list of security tips published on the company’s Tumblr platform on Thursday read: “Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
“Review your accounts for suspicious activity.
“Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
“Avoid clicking on links or downloading attachments from suspicious emails.”
Bob Lord, Yahoo’s chief information security officer (CISO), said: “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries.
“Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Network security company NSFocus said that the Yahoo breach had been originally reported in 2012, but that the numbers of users affected had been significantly underestimated.
Stephen Gates, chief research intelligence analyst at NSFocus, said: “In 2012, the number of potentially compromised user credentials was estimated to be around 450,000.
“However, the hacker known as Peace is claiming to have up to 500 million user credentials he/she is now attempting to sell online.”
He echoed Yahoo’s advice for users to change their passwords and added that companies must also take further measures to protect user data.
“Enterprises must first assess what hackers would likely want to steal from them,” he said.
“Once identified, enterprises must use all measures at their disposal to protect that data – at all costs.”
Other organisations have commented on the effect the breach could have on Yahoo’s impending takeover by US telecoms company Verizon.
The firm announced in July that it would be buying Yahoo’s operating business – including its search and email services and news pages – for 4.83 billion US dollars (£3.7 billion).
Mark James, of internet security company ESET, said: “As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data.”
Others say that the breach draws attention to outdated security systems across other websites.
Brian Spector, chief executive of Miracl, said: “The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today.
“By contrast, new, secure methods of multi-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”
