Yahoo has confirmed that a copy of certain user account information was stolen from its network in late 2014. The company believes that the breach was conducted by a state-sponsored actor.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected,” read the company’s statement.
The company is working closely with law enforcement authorities and notifying potentially affected users of ways they can further secure their accounts.
The company is asking potentially affected users to promptly change their passwords and adopt alternate means of account verification.
The company reports that the “stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
The ongoing investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network.