As was rumored this morning, so it has come to pass. Yahoo has confirmed a massive data breach — and it’s far, far bigger than anyone guessed at first.
The breach affects “at least 500 million” users, Yahoo confirmed today. Yes, that’s more than half a billion, with a B, people.
The data, Yahoo writes, was stolen in late 2014. The company suspects a “state-sponsored” actor did it — meaning some government paid someone to get this data, and it wasn’t just the act of rogue, bored hackers.
Compromised information may include:
- E-mail addresses
- Telephone numbers
- Dates of birth
- Hashed passwords
- Encrypted and unencrypted security questions and answers
Yahoo says the investigation — still ongoing — has not turned up any evidence that ant payment card data or bank information was included.
The investigation also appears to indicate that the hacker is no longer still infiltrating the network, so the hack is “over,” such as it is.
Yahoo says it is notifying any potentially affected user (which, let’s be real, with more than 500 million people affected is “most of them”) and asking them to change their passwords. It is also invalidating the purloined security questions and, as you might guess, working closely with law enforcement.
Yahoo also asks users to consider using the Yahoo Account Key authentication tool in the future, so as not to have passwords that can be stolen.
And as always, change basically any password anywhere that you might have held in common with your Yahoo one, and be careful with any unsolicited messages you may receive.