Internet company Yahoo revealed it was subject to a network breach in late 2014, which saw a “state-sponsored actor” steal personal information from more than 500 million accounts.
The attack, confirmed two years on, is one of the biggest public cybersecurity breaches in history, and comes just months after Yahoo announced a deal to sell its core business to US operator Verizon for $4.8 billion.
Verizon said it had only learned about the hack “within the last two days,” adding that it had “limited information”.
It is unclear whether this development could put the deal in doubt, as it goes through final regulatory clearance.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company reportedly said in a statement. “Until then, we are not in a position to further comment.”
Notably, in a SEC filing on 9 September, relating to the Verizon sale, Yahoo said it had no knowledge “of any incidents” or “security breaches, unauthorised access or unauthorised use” of its systems.
500M users hit
Yahoo revealed in a statement it had conducted an investigation which found that certain user account information was stolen from its network, which may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases, encrypted and unencrypted security questions.
The company said the breach did not extend to credit card and banking information.
News of a hack first surfaced in July this year, according to reports, after the company received information that 200 million Yahoo log-ins were on sale on the internet.
It however found no evidence backing up those claims, according to a Financial Times source.
Yahoo then began to conduct a more thorough investigation, which led to this revelation. Despite pinning the blame on a “state sponsored actor,” it did not say which country it held responsible.
The company said it had found no evidence that the hacker “is currently in Yahoo’s network”, adding that it is working closely with law enforcement on the matter.
It also said it was notifying affected users, and urging a prompt password reset.
While it is not uncommon for data breaches to go unreported for years, such as a 2012 LinkedIn hack that was only revealed in May, questions are already being raised about why it has taken Yahoo two years to learn and respond to the issue.