It turns out the Yahoo hack was much bigger than we expected.
Yahoo just released a statement claiming that state-sponsored actors breached the company’s servers and stole data from half a billion users. The statement reads:
A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.
The statement says that the breach did not include “unprotected passwords” or any banking information. Still, if you have a Yahoo account, it’s definitely a good time to change your password and update your security questions. If you’re using the same password or security questions that you used on Yahoo on other sites, it’s a good idea to change those too.
“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” Yahoo said in the statement. “Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.”
The size of this hack is simply staggering, and for the culprit to be a state sponsored actor just makes it feel that much more insane. This may end up being one of the biggest publicly known state sponsored attacks on consumer data.