If for some unholy reason you haven’t changed your Yahoo password since 2012, we have some bad news: You’ve probably been hacked.
Yahoo’s statement reads:
A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
Yahoo’s admission was first reported by Recode’s Kara Swisher, a longtime tech reporter with deep ties in the industry.
The admission of a major breach would come at an inopportune time for Yahoo, which is in the midst of selling its core business to Verizon for $4.8 billion.
The hack itself is not exactly news. On Aug. 1, Motherboard’s Joseph Cox reported that someone—a cybercriminal known as “Peace” or “Peace of Mind”—was claiming to be selling hundreds of millions of Yahoo passwords on the dark net. Cox obtained a small portion of the data—around 5,000 logins—and many of the accounts he tested matched real Yahoo accounts, although some had been shut down.
At this point, users should assume that the breach is legitimate, simply for their own digital safety. You can also type in your email address in the Leaked Source search tool to see if your Yahoo account (or any account linked to your address) has been compromised.
And seriously, if you are still using any passwords from 2012, do yourself a favor and go update those now.
Update 1:40pm CT, Sept. 22: Yahoo has now confirmed the breach.