Claiming the attack was launched by a “state-sponsored actor” the company confirms the information stolen included names, email addresses, telephone numbers, dates of birth and passwords. Essentially everything a person would need to gain access to the account.
The FBI is reportedly investigating the breach, which if confirmed would become the single largest attack of its kind in history.
The company was able to confirm that payment card details, bank account information was not stolen as it was not stored on the system that was targeted.
A statement released by Yahoo added: “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
Bob Lord, Yahoo’s chief information security officer (CISO), said: “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries.
“Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Network security company NSFocus said that the Yahoo breach had been originally reported in 2012, but that the numbers of users affected had been significantly underestimated.
Am I affected by the attack?
Yahoo said it is notifying any potentially affected users and asking any users that have not changed their passwords in the last two years to do so.
How can I protect my account?
- A list of security tips published on the company’s Tumblr platform on Thursday read:
- Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
- Review your accounts for suspicious activity.
- Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
- Avoid clicking on links or downloading attachments from suspicious emails.
Stephen Gates, chief research intelligence analyst at NSFocus, said: “In 2012, the number of potentially compromised user credentials was estimated to be around 450,000.
“However, the hacker known as Peace is claiming to have up to 500 million user credentials he/she is now attempting to sell online.”
He echoed Yahoo’s advice for users to change their passwords and added that companies must also take further measures to protect user data.
“Enterprises must first assess what hackers would likely want to steal from them,” he said.
“Once identified, enterprises must use all measures at their disposal to protect that data - at all costs.”
Other organisations have commented on the effect the breach could have on Yahoo’s impending takeover by US telecoms company Verizon.
The firm announced in July that it would be buying Yahoo’s operating business - including its search and email services and news pages - for 4.83 billion US dollars (£3.7 billion).
Mark James, of internet security company ESET, said: “As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data.”
Others say that the breach draws attention to outdated security systems across other websites.
Brian Spector, chief executive of Miracl, said: “The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today.
“By contrast, new, secure methods of multi-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”