Yahoo has confirmed a data breach dating back to 2014 that may have affected at least 500 million user accounts.
The confirmation wasn't unexpected as reports in Recode noted that Yahoo would confirm a massive data breach. In addition, Motherboard reported in August on stolen Yahoo user credentials. The news comes at an awkward time given Verizon is about to close the purchase of Yahoo.
What's new about the Yahoo disclosure is that the company is saying it believes "a state actor" took user credentials. Yahoo said:
A copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.
Yahoo added that it found no evidence that a state sponsored hacker is currently in its network.
The company is notifying users about improving security. Yahoo also told users to review accounts and change passwords and security questions.