On Thursday, Yahoo confirmed that a network breach affecting the company in late 2014 has led to the theft of information associated with roughly 500 million user accounts. Yahoo also confirmed in a press release that it believed the perpetrator to be a “state-sponsored actor.”

So, what’s at stake here? According to Yahoo’s release, the following pieces of data could be at risk:

  • Names,
  • Email addresses,
  • Telephone numbers,
  • Dates of birth,
  • Hashed passwords (mostly bcrypt)
  • Security questions and answers

However, according to Yahoo’s investigation, it seems that “unprotected passwords, payment card data, or bank account information” were not at risk. It is also important to note, the release said, that the affected systems weren’t used to store credit card information or bank account details.

Yahoo also noted in the release that it does not believe the “state-sponsored actor” is still active in their network.

SEE: Network Security Policy template (Tech Pro Research)

For affected users, Yahoo is invalidating security questions that weren’t encrypted, so if a hacker got access to the answers, he or she couldn’t use them to access the account. Yahoo recommended that users who haven’t changed their password since 2014 do so. However, if you are a user of any Yahoo product, you should probably change your password just to be safe.

To change your password, follow these instructions from ZDNet’s Steven J. Vaughan-Nichols.

Another critical step to take is to identify any other online accounts you have where you used the same username and/or password, and change the password to that account as well. Additionally, be extra cautious of any suspicious activity, including unsolicited emails or links you are unfamiliar with.

While Yahoo has struggled over the past few years, the news of this confirmed breach couldn’t come at a worse time for the company. Verizon is set to buy Yahoo for nearly $5 billion, and there’s no telling how this could potentially affect that deal.

Tim Erlin, the senior director of IT security and risk strategy at Tripwire said that it can be hard for users to understand the implications of personal data theft like what has been seen in this breach. This kind of information is commonly used for phishing campaigns and identity theft, he said, and it can be easy for the proper response to be glanced over in light of the magnitude of such a business deal.

“If consumers had been lulled into a sense of complacency because we haven’t seen a massive breach in a while, this should be a wake-up call,” Erlin said.

The 3 big takeaways for TechRepublic readers

  1. Yahoo confirmed that 500 million user accounts were leaked in a massive breach that occurred in 2014.
  2. While the information that was leaked didn’t include financial data, it was personal information that can be used for phishing or identity theft.
  3. It’s unclear how the breach will affect the $4.8 billion Verizon acquisition that is slated for the future.