Yahoo confirmed Thursday that at least 500 million users had been impacted by a data breach at the hands of a "state-sponsored actor." The initial hack is estimated to have taken place in 2014, with Yahoo currently in the process of notifying potentially affected users to inform them of what steps need to be taken to protect their accounts moving forward. First step? You might want to change your password.
"Yahoo encourages users to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account," a spokesperson said in a press release Thursday. "The company further recommends that users avoid clicking on links or downloading attachments from suspicious emails and that they be cautious of unsolicited communications that ask for personal information."
As noted by others, 500 million is indeed a huge number of potentially exposed users. In fact, current estimates on total worldwide internet users places the figure this way: as many as 1 in 7 internet users may have been exposed in the Yahoo breach.
The exposed account information possibly included users' names, email contact, phone numbers, birthdates, hashed passwords, and some "encrypted or unencrypted" security questions and corresponding answers. The investigation, which is still ongoing, has not found any reason to believe that bank or other payment information was compromised in the breach.
Yahoo last dealt with a data breach back in 2012. According to a report from the Wall Street Journal, approximately 453,000 unencrypted usernames and passwords were obtained by a "hacker group" during the previous hack. The company was purchased by Verizon Communications this July for $4.83 billion, a far cry from its original 2008 offer from Microsoft of $45 billion.