Yahoo Inc. disclosed a massive security breach by a “state-sponsored actor” affecting at least 500 million users, potentially the largest such data breach on record and the latest hurdle for the beaten-down internet company as it works through the sale of its core business.
Yahoo said certain user account information—including names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers—was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.
Yahoo said it is notifying potentially affected users and has taken steps to secure their accounts by invalidating unencrypted security questions and answers so they can’t be used to access an account and asking potentially affected users to change their passwords.
Yahoo recommended users who haven’t changed their passwords since 2014 do so. It also encouraged users change their passwords as well as security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account.
The company, which is working with law enforcement, said the continuing investigation indicates that stolen information didn’t include unprotected passwords, payment-card data or bank account information.
With 500 million user accounts affected, this is the largest-ever publicly disclosed data breach, according to Paul Stephens, director of policy and advocacy with Privacy Rights Clearing House, a not-for-profit group that compiles information on data breaches.
No evidence has been found to suggest the state-sponsored actor is currently in Yahoo’s network, and Yahoo didn’t name the country it suspected was involved. In August, a hacker called “Peace” appeared in online forums, offering to sell 200 million of the company’s usernames and passwords for about $1,900 in total. Peace had previously sold data taken from breaches at Myspace and LinkedIn Corp.
A Yahoo spokesman said at the time that the company was aware of the claim and was “working to determine the facts.”
In 2012, Yahoo had more than 1 billion user accounts in its databases. User passwords were protected via a cryptographic algorithm called MD5, which can be cracked using the latest password-breaking techniques, said a source familiar with the situation.
The company in 2012 dealt with a data breach that allowed a hacker group to download 453,000 unencrypted usernames and passwords.
Last year, Yahoo launched a program to detect and notify users when it strongly suspects that a state-sponsored actor has targeted an account. Not including the current investigation, roughly 10,000 users have been notified.
Verizon Communications Inc. in July agreed to buy Yahoo’s Web assets for $4.83 billion in cash, ending a drawn-out process of trying to split the beleaguered internet company from its lucrative stake in Alibaba Group Holding Ltd.
The price, which includes Yahoo’s core internet business and some real estate, capped a remarkable fall for the Silicon Valley web pioneer that had a market capitalization of more than $125 billion at the height of the dot-com boom in early 2000.
Verizon on Thursday said it was notified of Yahoo’s security incident within the last two days but has “limited information and understanding of the impact.”
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” Verizon said.
B. Riley & Co. analyst Sameet Sinha said the breach is unlikely to affect terms of the Verizon deal.
“Data breaches have become part of doing business now,” he said, adding that LinkedIn still fetched a “nice” premium in June, getting a $26.2 billion buyout deal from Microsoft Corp., following the May disclosure that it had underestimated the broad impact of its 2012 data breach.
Yahoo and Verizon will need to “provide extensive communications and help to consumers to make sure passwords are changed quickly and of course bolster their security,” said Mr. Sinha.
Data breaches are on the rise in the U.S., affecting companies from Target Corp. to Verizon Enterprise Solutions and putting millions of users’ information at risk. National nonprofit Identity Theft Resource Center reported 687 breaches exposing roughly 28.8 million records through Tuesday this year. The Federal Bureau of Investigation and cybersecurity experts say they are seeing a notable increase in ransomware, but there appears to be no single cause for the increase.
Shares of Yahoo fell 0.3% to $44.02 in afternoon trading, while shares of Verizon added 1% to $52.39.
Write to Anne Steele at Anne.Steele@wsj.com and Robert McMillan at Robert.Mcmillan@wsj.com
Tags: cyber, cybersecurity, data breach, dates of birth, email addresses, encrypted or unencrypted security questions, FBI, Federal Bureau of Investigation, hack, hacking, hashed passwords, Internet, names, National nonprofit Identity Theft Resource Center, Putin, Russia, Russian intelligence, security breach, state sponsored, Target Corp, telephone numbers, Verizon Enterprise Solutions, Yahoo, Yahoo’s security