User details from more than 500 million Yahoo accounts — including names, birth dates and encrypted passwords — were stolen nearly two years ago by state-sponsored hackers, the faltering tech giant said Thursday.
It was unclear whether the news will impact the $4.8 billion sale of the company to Verizon.
Email addresses “and, in some cases, encrypted or unencrypted security questions and answers” were also included in the stolen data, but not payment card data or bank account information, which was stored in a separate system, Yahoo said in a statement.
The statement added that the company found no evidence the attackers, who struck in “late 2014” were still in its network.
It did not explain why the company believes the hackers were state-sponsored, and a company spokeswoman declined to provide further details.
“Yahoo is working closely with law enforcement” on the theft, the statement said.
The company added they would notify potentially affected users by email and had “taken steps to secure their accounts,” including “invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords.”
The stolen data includes the encrypted hashes of users’ passwords — associated with their email address. Hashes are the passwords after they’ve been transformed by the mathematical processes involved in encryption. In theory, this should make them useless strings of gibberish. But given sufficient time and computing power — and given that most users continue to employ dictionary words as passwords — hashes can be “cracked” or decrypted, exposing the plaintext password.
The news comes as Yahoo, which helped pioneer free email and then tried to refashion itself as a content portal, is in the process of being bought by Verizon. It was unclear whether the revelation about the breach might impact the sale, which was slated to close next year.
In a statement, Verizon said it had learned of the incident “Within the last two days.”
“We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.”
Observers noted that, as with similar breaches in the past, the hackers would be able to use the email and (cracked) password combinations against all kinds of other accounts the same user might have employed them to secure — social media, communications or even banking.
“Cyber criminals know that consumers use the same passwords across websites and applications,” said Brett McDowell, executive director of the FIDO Alliance — a non-profit that has developed identity authentication standards which rely on secure cryptographic credentials stored on devices, instead of passwords.
Because stolen passwords are so useful, he aded, “this trend [of data breaches getting worse and worse] will continue until our industry ends its dependency on password security and adopts un-phishable strong authentication.”