Cyber crooks may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords, the company said. Unprotected passwords, payment card data and bank account information did not appear to have been compromised, Yahoo said, signaling that some of the most valuable user data was not taken.
“This is the biggest data breach ever,” said well-known cryptologist Bruce Schneier.
He said it was too early to say what impact the breach might have on Yahoo and its users because many questions remain, including the identity of the state-sponsored hackers behind it.
It was not immediately clearly when Yahoo learned of the hack and why it took two years to come to light.
The size of the attack on Yahoo was unprecedented compared to other corporate breaches such as at eBay Inc (EBAY.O) in 2014 which involved personal data of 145 million users.
The Yahoo breach, which follows a rising number of other large-scale data breaches, could make it a watershed event that prompts the government and businesses alike to put more effort into bolstering defenses, said Dan Kaminsky, a well-known Internet security expert.
“Five hundred of the Fortune 500 have been hacked,” he said. “If anything has changed, it’s that these attacks are getting publicly disclosed.”
Three U.S. intelligence officials, who declined to be identified by name, said they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.
Yahoo said it was working with law enforcement on the matter. The FBI said it was aware of the matter, and the U.S. Secret Service was not immediately available for comment.
“The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network,” the company said.
Shares of Yahoo stock closed a penny higher at $44.15, while shares of Verizon Communications (VZ.N), which has agreed to buy the company’s Internet business, were up about 1 percent.
It was not clear how this disclosure might affect Yahoo’s deal with Verizon.
Verizon, which announced in July an agreement to buy Yahoo’s core internet properties for $4.83 billion, said in a statement it was made aware of the breach within the last two days and had limited information about the matter.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities,” the company said.
Technology website Recode first reported Tuesday that Yahoo planned to disclose details about a data breach affecting hundreds of millions of users.
That followed an Aug. 1 story on the technology news site Motherboard, which said a cyber criminal known as Peace was selling the data of about 200 million Yahoo users but did not confirm its authenticity. Peace has previously claimed responsibility.
Peace also previously attempted to sell on a hacker forum information purportedly belonging to hundreds of millions of accounts at MySpace and LinkedIn, including names, passwords and email addresses.