On Thursday, Yahoo finally confirmed it had been the victim of a data breach, but revealed that the attack was much worse than anyone probably anticipated. Yahoo said that information associated with at least 500 million accounts had been stolen, and the company surprisingly attributed the attack to a "state-sponsored actor."
"A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor," a press release reads.
The information stolen includes names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers.
Yahoo says it is notifying potentially affected users, and has taken steps to secure their accounts. Those include invalidating unencrypted security questions and answers, and is recommending that users who haven't changed their passwords since 2014 do so.
"Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry. Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account. Since the inception of Yahoo's program in December 2015, independent of the recent investigation, approximately 10,000 users have received such a notice," the announcement continued.
The company provided no evidence for the claim that the hack had come from a state-sponsored hacker.
"Yahoo is working closely with law enforcement on this matter," the statement added.
Although an announcement about a breach was anticipated, previous reports had indicated that the number of compromised accounts was much lower.
In August, Motherboard reported that the hacker known as Peace, who had previously sold huge data dumps from other Silicon Valley companies, was advertising supposed credentials of 200 million Yahoo users on The Real Deal marketplace. The data was being sold for 3 bitcoins, or around $1,860.
"We are aware of a claim," a Yahoo spokesperson told Motherboard in an email at the time. "We are committed to protecting the security of our users' information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms."
Shortly after the data was put on sale, one apparently disgruntled customer contacted Motherboard, complaining that Peace was scamming users and not delivering the Yahoo dump as promised.
Fast forward to this week, and Recode reported, quoting anonymous sources, that Yahoo was preparing to confirm the data breach.
A source familiar with the investigation told Motherboard on Thursday that, although no direct evidence was found to support Peace's claims, Yahoo conducted a broader investigation, and during that time, they found the attack from what they described as a state-sponsored actor in 2014. The source declined to provide any evidence that the attack was state-sponsored, but said that the company strongly believed it to be the case.
According to Yahoo's announcement, the majority of passwords were hashed with the strong hashing function bcrypt, meaning that hackers will have a much harder time at obtaining many users' real passwords. The source claimed that only a very small percentage of password hashes were not bcrypt.
This summer has seen several truly massive data breaches come to light, including Myspace, LinkedIn, and Dropbox. Many of these were sold by Peace, and some were also sold by another hacker called Tessa88.
This story was updated to add further details about Yahoo's investigation into the breach.