500 Million Yahoo Accounts Were Hacked by a ‘State-Sponsored Actor’

By
Yahoo CEO Marissa Mayer.Photo: Kimberly White/Getty Images for Fortune

Yahoo just confirmed what Kara Swisher reported this morning: Hundreds of millions of accounts with the email-and-search service were hacked sometime in 2014. And where it gets even more interesting is who Yahoo thinks is behind it.

According to executive Bob Lord, the company was infiltrated “in late 2014 by what it believes is a state-sponsored actor.” There are not many governments with the resources (or chutzpah) to go after a large U.S. business, so it seems fair to assume that we’re talking Russia or China. And the scale of the damage is larger than expected, too: While the early Recode report stated 200 million accounts were put in jeopardy, the actual official tally is closer to 500 million. Among the data stolen were “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.”

The 500 million user accounts comprise roughly half of Yahoo’s user base, and even in a best-case scenario, many of those users will leave the service and shut down their accounts. That doesn’t bode well for a company hoping to sell itself to Verizon for $4.8 billion. (At the same time, a small sample tested by Motherboard showed that while some of the usernames corresponded to real accounts, others had been shut down or did not exist. It’s unclear precisely how many accounts belong to active users.)

The company did not provide much more information, other than saying that they’re forcing password resets on certain users and invalidating unencrypted security questions. They described the investigation as “ongoing,” and given that it allegedly involves state-sponsored actors, it’s likely that certain U.S. government bodies are looking into the breach as well.

If one were feeling charitable, you might assume such an investigation might also explain why Yahoo didn’t publicly disclose the hack for two years.