Computer hackers swiped personal information from at least 500 million Yahoo accounts in what is believed to be the biggest ever digital break-in at an email provider.
The massive security breakdown disclosed on Thursday poses new headaches for Yahoo CEO Marissa Mayer as she tries to close a $4.8bn sale to Verizon Communication .
The data breach dates back to late 2014, raising questions about the checks and balances within Yahoo.
Yahoo didn’t explain what took so long to uncover the breach that it blamed on a “state-sponsored actor” – parlance for a hacker working on behalf of a foreign government.
The Sunnyvale, California, company declined to explain how it reached its conclusions about the hacker, but said it is working with the FBI and other law enforcement as part of its ongoing investigation.
The stolen data includes users’ names, email addresses, telephone numbers, birth dates, scrambled passwords, and security questions – and answers – used to verify an account holder’s identity.
Last month, the tech site Motherboard reported that a hacker who uses the name “Peace” boasted that he had account information belonging to 200m Yahoo users and was trying to sell the data on the web.
Yahoo is recommending that users change their passwords if they haven’t done so since 2014. The company said the attacker didn’t get any information about its users’ bank accounts or credit and debit cards.
News of the security lapse could cause some people to have second thoughts about relying on Yahoo services, raising a prickly issue for the company as it tries to sell its digital operations to Verizon Communications.
That deal, announced two months ago, isn’t supposed to close until early next year. That leaves Verizon with wiggle room to renegotiate the purchase price or even back out if it believes the security breach will harm Yahoo’s business.
That could happen if users shun Yahoo or file lawsuits because they’re incensed by the theft of their personal information.