Yahoo confirmed Thursday that it was struck with a data breach in 2014 that resulted in user account information being stolen from the company's network.
While initial reports of the attack said 200 million user accounts were affected, Yahoo indicates information associated with at least 500 million user accounts was stolen.
Yahoo believes this was a state-sponsored hacker who stole the user information. Compromised information may include user names, email addresses, telephone numbers, birth dates, passwords and some encrypted and unencrypted security questions and answers. The investigation suggests no unprotected passwords, payment card data or bank account information were affected, as payment card data and bank account information are not stored in the affected system.
Yahoo said there is no evidence that the actor is still currently in Yahoo's network
As Yahoo continues its investigation into the cyberattack, the company recommends users change their passwords and security questions for both Yahoo accounts and other accounts that use similar log on information and review accounts for suspicious activity. In the letter it is sending to users, Yahoo also warns users of falling victim to phishing attacks by avoiding clicking on links or downloading attachments from suspicious emails.
"An increasingly connected world has come with increasingly sophisticated threats," said Bob Lord, Yahoo CISO, in a statement. "Industry, government and users are constantly in the crosshairs of adversaries. Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."
More articles on data breaches:
The greatest cybersecurity risk is already in the building: How to mitigate threats from the inside
Will 'digital fingerprint' forensics thwart the data thieves lurking in hospital EHR corridors?
The role all executives play in cybersecurity