Yahoo Inc. said on Thursday that at least 500 million of its accounts were hacked in 2014 by what it described as a state-sponsored actor.
The attack on Yahoo was more than triple other large attacks on sites such as eBay Inc.
Cyber thieves may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords, according to the company.
Bank account information, unprotected passwords, and payment card data did not appear to have been compromised, said Yahoo, hinting that some of the most valuable user data was not taken.
Chief Executive Officer Marissa Mayer is under pressure to shore up the flagging fortunes of the site founded in 1994, and the company in July agreed to a $4.83 billion cash sale of its internet business to Verizon Communications Inc (VZ.N).
Yahoo encouraged users on its website on Thursday to change their passwords but did not require it.
Yahoo did not find out about the incursion after August reports of a separate breach, although the attack happened in 2014. While that report turned out to be false, Yahoo’s investigation turned up the 2014 theft, according to a person familiar with the matter.
Analyst Robert Peck of SunTrust Robinson Humphrey said the breach probably was not enough to prompt Verizon to abandon its deal with Yahoo, but it could call for a price decrease of $100 million to $200 million, depending on how many users leave Yahoo.
Dan Kaminsky, a well-known internet security expert, the Yahoo breach follows an increasing number of other large-scale data attacks and could probably make it a watershed event that prompts government and businesses to put more effort into bolstering defenses, said
Three U.S. intelligence officials, who declined to be identified by name, said they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.