Hackers broke into half a billion Yahoo accounts in late 2014, the company acknowledged on Thursday.
Yahoo says it believes a "state-sponsored actor" was behind the massive data breach. "The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo Chief Information Security Officer Bob Lord stated Thursday. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."
"Bcrypt" refers to a technique for converting passwords into text, according to Ars Technica. The method reportedly makes it difficult for hackers to decrypt the data.
It's not yet clear how news of the data breach will affect Verizon's pending $4.9 billion acquisition of Yahoo.
Verizon says it only learned of the massive hack two days ago. "We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," Verizon stated Thursday. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities."
Yahoo's confirmation of the data breach comes two months after a hacker who goes by the name "Peace" said he was selling information about 200 million Yahoo account holders, including their names, other email addresses, birthdates, and some passwords. Peace said that data was obtained in a 2012 data breach.