SUNNYVALE, Calif., Sept. 22 (UPI) — Internet giant Yahoo! on Thursday acknowledged a massive security breach involving at least 500 million of its users’ accounts stemming from a leak two years ago.
The Sunnyvale, Calif., company confirmed the breach after it was reported in the news media.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo! Chief Information Security Office Bob Lord said in a statement Thursday.
“Stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
Lord said the breach was performed by a “state-sponsored actor.”
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter,” he stated.
The company said it is taking a number of steps to protect users’ data — including notifying owners of potentially affected accounts, asking users to change their passwords and invalidated non-secure access methods.
Yahoo! is also asking users to check their accounts for suspicious activity and consider using its password-free Yahoo Account Key authorization tool.
“An increasingly connected world has come with increasingly sophisticated threats,” Lord added.
“Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Yahoo!, one of the most popular websites in the world, says it has nearly a billion active monthly users and is no stranger to security breaches. In January 2014, the company said a coordinated effort was made to gain access to potentially millions of its email accounts.
It wasn’t immediately clear whether the breach is related to a security concern the company acknowledged last month, when it was said as many as 200 million user accounts may have been compromised and their information mined for sale.