IE 11 is not supported. For an optimal experience visit our site on another browser.

Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts

Yahoo confirmed a massive security breach impacting 500 million users and said it believes a "state-sponsored actor" is behind the hack.
Image: A Yahoo logo is pictured in front of a building in Rolle
Yahoo is urging users to change their Yahoo password, and also to update their password and security questions if the same ones were used on any other accounts. Denis Balibouse / Reuters, file

Yahoo confirmed Thursday that a massive security breach impacted 500 million users, and said it believes a "state-sponsored actor" is behind the hack, which took place in 2014.

Image: A Yahoo logo is pictured in front of a building in Rolle
Yahoo is urging users to change their Yahoo password, and also to update their password and security questions if the same ones were used on any other accounts. Denis Balibouse / Reuters, file

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter," said Bob Lord, Yahoo's chief information security officer, in a statement on Thursday afternoon.

The stolen account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and in some cases, according to Lord, encrypted or unencrypted security questions and answers.

The company is urging users to change their Yahoo password, and also to update their password and security questions if the same ones were used on any other accounts.

"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," Lord said.

On Friday afternoon, the FBI announced it was "aware of the intrusion" and was actively investigating the matter.

"We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals," said the FBI in a statement.

The hack first came to light last month. At the time, a company spokesman neither confirmed nor denied the alleged hack, telling NBC News in a statement, "We are aware of a claim. We are committed to protecting the security of our users' information and we take any such claim very seriously."

It was announced in July Verizon had reached an agreement to purchase Yahoo for $4.83 billion. The deal is still in process.

A Verizon spokesman told NBC News the company was notified of the incident "within the last two days."

"We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," the spokesman said. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."

NBC News' Jo Ling Kent contributed reporting.