Yahoo said on Thursday that at least 500 million of its accounts were hacked in 2014 by what it believed was a state-sponsored actor, a theft that appeared to be the world's biggest known cyber breach by far.
Cyber thieves may have stolen names, email addresses, telephone numbers, dates of birth and encrypted passwords, the company said.
But unprotected passwords, payment card data and bank account information did not appear to have been compromised, signaling that some of the most valuable user data was not taken.
Troy Hunt, a cyber security expert, says it's too early to say how serious the breach was especially when a state actor is said to be involved.
“It may not be serious for someone like me but may be very serious for people in the jurisdiction of that actor,” he told TRT World.
Yahoo attack being called worlds biggest ever hack - but we can't be sure cos so many mass hacks go unexposed for years
— Chris Choi (@Chrisitv) September 22, 2016
The attack on Yahoo was unprecedented in size, more than triple the size of other large attacks on sites such as eBay.
It comes to light at a difficult time for Yahoo.
Chief Executive Officer Marissa Mayer is under pressure to shore up the flagging fortunes of the site founded in 1994. The company in July agreed to a $4.83 billion cash sale of its internet business to Verizon Communications.
"This is the biggest data breach ever,” said cryptologist Bruce Schneier, adding that the impact on Yahoo and its users remained unclear because many questions remain, including the identity of the state-sponsored hackers behind it.
On its website on Thursday, Yahoo encouraged users to change their passwords but did not require it.
Although the attack happened in 2014, Yahoo only discovered the incursion after August reports of a separate breach.
To avoid being hacked, experts advice users to frequently randomise their email passwords and use multi-step authentication process.
The news quickly became a trending subject on Twitter where, like always, people found assuming aspects to discuss.
I wonder if Yahoo hacked their own emails in a publicity stunt to remind people that they still had a yahoo email account! #YahooBreach
— Irish Dave (@iamirishdave) September 22, 2016
This breach follows a rising number of other large-scale data attacks and could make it a watershed event that prompts government and businesses to put more effort into bolstering defenses, said Dan Kaminsky, an internet security expert.
Retailers and health insurers have been especially hard hit after high-profile breaches at Home Depot, Target, Anthem and Premera Blue Cross.
"Five hundred of the Fortune 500 have been hacked," he said. "If anything has changed, it's that these attacks are getting publicly disclosed."
Many people were wondering what took Yahoo so long to release the infomration.
I like that Yahoo's commitment to being The Internet Of The Past extends to today's hack being in 2014.
— Matt Levine (@matt_levine) September 22, 2016
Three US intelligence officials, who declined to be identified by name, said they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.
Yahoo said it was working with law enforcement on the matter, and the FBI said it was investigating.
"The investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network," the company said.
While the breach comprised mostly low-value information, it did include security questions and answers created by users themselves. That data could make users vulnerable if they use the same answers on other sites.
News of the massive breach at one of the nation's largest email providers may fan concern that US companies and government agencies are not doing enough to improve cyber security.
Democratic Senator Mark Warner said in a statement he was "most troubled by news that this breach occurred in 2014, and yet the public is only learning details of it today."