Yahoo officially confirmed on Thursday the company’s databases were breached in 2014, and that hackers got away with the personal information of at least 500 million users, making it perhaps the largest data breach in U.S. history.
“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” Yahoo’s chief information security officer (CISO) Bob Lord wrote in a blog post Thursday.
Yahoo did not name the suspected state-sponsored actor, or to which country the hacker is from. Users’ names, email addresses, telephone numbers, dates of birth, encrypted passwords, as well as encrypted and unencrypted security questions and answers were made vulnerable in the attack. Financial information such as bank or credit card information was not revealed in the breach, Yahoo said.
Recode first reported news of the Yahoo’s announcement early Thursday, saying the breach could likely draw government scrutiny and have legal ramifications.
News of the breach comes after Verizon offered to buy the embattled tech giant for $4.83 billion in July. The buyout was orchestrated after massive layoffs and years of rumors and speculation that Yahoo CEO Marissa Mayer was failing at turning the company into a profitable entity.
Breaches have become more frequent as industries, government agencies, and consumers increasingly rely on internet-based systems. For Yahoo, the breach has added to the company’s troubles. It surpasses some of the most devastating data breaches in recent history in terms of the number of people affected: That includes the Target breach in 2013, which exposed more than 100 million people’s personal and payment data, and eBay’s breach of an undisclosed number of its 145 million users’ data in 2014.
Until Yahoo, the largest breach in American history, according to Forbes, involved Court Ventures, acquired by the credit bureau Experian in 2012. Two-hundred million consumers’ data was exposed in 2013. Experian has since had several more breaches, most recently in 2014 and 2015.