Yahoo confirmed that at least 500 million user accounts had their information compromised in a massive hack that it believes was perpetrated by a state-sponsored actor.
The scale of the breach makes it among the largest on record.
In a lengthy post on its company website, Yahoo's chief information security officer Bob Lord said that account information taken "may have" included names, email address, telephone numbers, dates of birth, obfuscated passwords and, possibly, encrypted or unencrypted security questions and answers. While Yahoo is still investigating the breach, Lord said that financial information including credit card numbers and payment card data were not accessed; that information is stored in a separate system.
Furthermore, Lord said in the company release that the apparent state-sponsored hacker is no longer in Yahoo's systems.
"Yahoo is working closely with law enforcement on this matter," Lord said.
Word first surfaced that the ailing tech giant would confirm a data breach affecting hundreds of millions of accounts overnight, according to a report from tech site Recode.
Yahoo will be reaching out to potentially affected users by email. Users will be asked to change their passwords. Any unencrypted security questions and answers will be invalidated, meaning that users will have to submit new ones. Yahoo is also asking anyone who hasn't changed their password since 2014 to do so for good measure.
The company has also set up a frequently asked questions page for anyone who may have been affected by the breach.
The confirmation from Yahoo comes as the firm is on the brink of finalizing a US$4.8 billion deal to sell off its core business to Verizon.