Yahoo was hit by one of the biggest data thefts in history after account information of at least 500 million users was stolen in a 2014 hacking incident by a "state-sponsored actor," the pioneering internet company said Thursday.
Information obtained in the hack may have included names, email addresses, telephone numbers, dates of birth, encrypted passwords and possibly security questions and answers, according to a Yahoo statement.
So far there is no evidence of unencrypted passwords or banking and credit card details being stolen, according to Bob Lord, Yahoo's chief information security officer. That information is stored on another system which is apparently not affected, he said.
The company is now notifying potentially affected users, and urging people to promptly change their passwords and account verification methods.
"The investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network," Lord said. "Yahoo is working closely with law enforcement on this matter."
Yahoo didn't say how the hackers broke into the company's network or which country may have sponsored the attacks.
The FBI said it was aware of the breach and is now investigating the matter.
"We take these types of breaches very seriously and will determine how this occurred and who is responsible."
Initial reports about the data theft surfaced in August, as a hacker tried to sell account information of 200 million users for less than 2,000 dollars online. The user, known as "Peace," had also previously tried to sell hacked information from online networks MySpace and LinkedIn.
The combination of usernames and email addresses obtained could lead to so-called phishing attacks using the data.
It's also unknown how many Yahoo profiles can be opened via correct answering of security questions directly.
In July, Yahoo sold its core operating business for 4.8 billion dollars to US broadband communications giant Verizon.
The company issued a short statement to US media Thursday saying it learned of the incident in the last two days but it only had limited information.
"We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities," it said.
It's the second occasion that Yahoo account information has been compromised in recent times. In June 2012 some 450,000 Yahoo usernames and passwords were stolen and published online.