Yahoo Inc said on Thursday that information for at least 500 million user accounts was stolen from its network in 2014 by what it believed was a state-sponsored actor, a theft that appeared to be the biggest cyber breach ever.
Yahoo said data stolen may have included names, email addresses, telephone numbers, dates of birth and encrypted passwords but that unprotected passwords, payment card data and bank account information did not appear to have been compromised, the company said.
“This is the biggest data breach ever,” said well-known cryptologist Bruce Schneier.
He said it was too early to say what impact the breach might have on Yahoo and its users because many questions remain, including the identity of the state-sponsored hackers behind it.
Three U.S. intelligence officials, who declined to be identified by name, said they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.
Yahoo said it was working with law enforcement on the matter. The FBI said it was aware of the matter, and the U.S. Secret Service was not immediately available for comment.
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said.
Shares of Yahoo stock were barely changed for the day after the news, while shares of Verizon Communications, which has agreed to buy the company’s Internet business, were up about 1 percent.
It was not clear how this disclosure might affect Yahoo’s deal with Verizon.
Verizon, which announced in July an agreement to buy Yahoo’s core internet properties for $4.83 billion, said in a statement it was made aware of the breach within the last two days and had limited information about the matter.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company said.
Technology website Recode first reported Tuesday that Yahoo planned to disclose details about a data breach affecting hundreds of millions of users.
That followed an Aug. 1 story on the technology news site Motherboard, which said a cyber criminal known as Peace was selling the data of about 200 million Yahoo users but did not confirm its authenticity. Peace has previously claimed responsibility.
Peace also previously attempted to sell on a hacker forum information purportedly belonging to hundreds of millions of accounts at MySpace and LinkedIn, including names, passwords and email addresses.