Yahoo says hack may have been state-sponsored.
From The Wall Street Journal:
Yahoo Inc. on Thursday disclosed a massive security breach by a “state-sponsored actor” affecting at least 500 million users...
Yahoo said a copy of certain user account information—including names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers—was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor.
Yahoo said it is notifying potentially affected users and has taken steps to secure their accounts by invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. The company, which is working with law enforcement, said the continuing investigation indicates that stolen information didn't include unprotected passwords, payment card data, or bank account information....
In August, a hacker named “Peace” appeared in online forums, offering to sell 200 million of the company’s usernames and passwords for about $1,900 in total. Peace had previously sold data taken from breaches at Myspace and LinkedIn Corp. A Yahoo spokesman said at the time that the company was aware of the claim and was “working to determine the facts.”