A massive breach at Yahoo compromised account details from at least 500 million users, and the company is blaming the attack on state-sponsored hackers.
Names, email addresses, telephone numbers, and hashed passwords may have been stolen as part of the hack, which occurred in late 2014, Yahoo said.
The company reported the breach on Thursday, after a stolen database from the company went on sale on the black market last month.
However, the hacker behind the sale claimed that the stolen database involved only 200 million users and was likely obtained in 2012.
It’s unclear if Thursday’s breach is connected. But Yahoo has been notifying affected users and asking them to change their passwords.
“We are recommending that all users who haven’t changed their passwords since 2014 do so,” the company said in a statement. It’s also asking that users review any suspicious activity related to their accounts.
The vast majority of the stolen passwords were hashed with the security tool bcrypt, making them more difficult to crack, Yahoo said. But some security questions and answers from the accounts may have also been taken.
However, Yahoo’s investigation suggests that no payment card data or banking details were stolen in the breach, the company added. Yahoo has found no evidence showing that the hackers are still inside its network.
Yahoo has published an FAQ for affected users. The company is also working with law enforcement to investigate the incident.