By Robert McMillan 

Yahoo Inc. is blaming "state-sponsored" hackers for what may be the largest-ever theft of personal user data.

The internet company, which has agreed to sell its core business to Verizon Communications Inc., said Thursday that hackers penetrated its network in late 2014 and stole personal data on more than 500 million users. The stolen data included names, email addresses, dates of birth, telephone numbers and encrypted passwords, Yahoo said.

Yahoo said it believes that the hackers are no longer in its corporate network. The company said it didn't believe that unprotected passwords, payment-card data or bank-account information had been affected.

Computer users have grown inured to notices that a tech company, retailer or other company with which they have done business had been hacked. But the Yahoo disclosure is significant because the company said it was the work of another nation, and because it raises questions about the fate of the $4.8 billion Verizon deal, which was announced on July 25.

In July, Yahoo began investigating claims by hackers who were offering to sell what they said were 280 million Yahoo usernames and passwords. Yahoo said it concluded the information for sale wasn't legitimate, but the company decided to broaden its probe, eventually determining that it had been breached by "a state-sponsored actor."

In a proxy filing related to the Verizon deal on Sept. 9, Yahoo said it wasn't aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data. Yahoo declined to comment on the filing.

Yahoo didn't say how the hackers broke into its network or which country sponsored the attacks.

The intrusion, in late 2014, came during a period when many computer attacks, including on the federal Office of Personnel Management and health insurer Anthem Inc. were believed to be the work of China. More recent hacks, however, including of the Democratic National Committee earlier this year, have been blamed on Russia. Both countries have denied involvement in the hacks.

It isn't uncommon for data breaches to go unreported for years. In May, Myspace notified users of a 2013 breach; the same month, LinkedIn Corp. also notified users that a 2012 incident, thought to have affected just 6.5 million accounts, had actually compromised more than 100 million.

"The FBI is aware of the intrusion and investigating the matter," the Federal Bureau of Investigation said. "We take these types of breaches very seriously and will determine how this occurred and who is responsible."

Verizon said it was notified of the breach earlier this week. "We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," Verizon said in a statement. "We will evaluate as the investigation continues."

B. Riley & Co. analyst Sameet Sinha said the breach is unlikely to affect terms of the Verizon deal.

"Data breaches have become part of doing business now," he said, adding that Microsoft Corp. agreed to buy LinkedIn for $26.2 billion in June, one month after LinkedIn notified users of the broader scope of its 2012 breach.

But Stephen S. Wu, a technology lawyer at the Silicon Valley Law Group, said the language assuring that no security breaches had occurred might give Verizon leverage to renegotiate the deal, or even to walk away.

The Yahoo breach appears to be the largest ever disclosed, based on the number of users affected, said Paul Stephens, director of policy and advocacy with Privacy Rights Clearing House, a not-for-profit group that compiles information on data breaches. Credit-card processor Heartland Payment Systems Inc. said roughly 130 million credit- and debit-card numbers had been stolen in a 2009 hack.

The Yahoo breach, and the timing of the disclosure, quickly reverberated in Washington. Sen. Mark Warner, D-Va., said in a statement, "I am perhaps most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today."

Yahoo's breach is the latest in a series of compromises that have put billions of consumer usernames and email addresses at risk. One website, called Leaked Source, sells a searchable list of more than two billion credentials.

While many other companies have disclosed large-scale breaches recently, the fact that Yahoo is linking its hack to state-sponsored hackers is noteworthy. U.S. intelligence officials have said China-based attacks have declined in recent months, following a 2015 agreement between the U.S. and China.

Over the past year, Russia has gradually taken China's place as the primary suspect of attacks on U.S. systems. Two hacking groups -- linked by security researchers and U.S. government officials to Russia -- have published email messages belonging to public figures, including private Gmail messages belonging to former Secretary of State Colin Powell.

The Yahoo data could be used to obtain the personal correspondence of public figures. "For a government, the real value would be to look for people with real value," said Matthew Green, a computer science professor at Johns Hopkins University. "Maybe you don't get classified information, but some of those Colin Powell emails were very interesting."

Yahoo said the stolen passwords were encrypted, but computer-security experts said a determined attacker could unscramble passwords -- especially simple passwords -- using commonly available "cracking" software. Once cracked, hackers could break into Yahoo accounts and -- if the password happened to be reused on another web service -- possibly other websites too.

Security experts recommend that consumers add a "second factor" of authentication to their online accounts. Typically this means receiving a short code via text message every time the user logs in from an unknown computer.

Yahoo says that its users should change their passwords and security questions, and avoid using the same password on multiple accounts.

--Anne Steele, Ryan Knutson, Damian Paletta contributed to this article.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

 

(END) Dow Jones Newswires

September 23, 2016 02:47 ET (06:47 GMT)

Copyright (c) 2016 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more Altaba Charts.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more Altaba Charts.