Users’ “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers” may have all be acquired in the breach.
A spokesYahoo said: “Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
Yahoo said it would notify users who may have been affected and urged those who had not changed their Yahoo passwords since 2014 to do so.
The company also noted that they believed “unprotected passwords, payment card data, or bank account information; payment card data and bank account information” were not compromised in the hack.
Yahoo has previously had several issues with hackers and data breaches.
In 2015, hackers hijacked Yahoo’s ad network for a week, spreading malware via advertisements to millions of users.
In 2012, users sued Yahoo over a breach in which passwords from 450,000 accounts were stolen.