Earlier today, Kara Swisher reported that Yahoo would be confirming the breach of 200 million accounts said to have been compromised in 2012. Swisher was, unfortunately, wrong — the breach turns out to have occurred in 2014, and the size of it is unprecedented.
Bob Lord of Yahoo:
Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.
This far eclipses the impact of the previous record-holding breach — a set of nearly 360 million MySpace accounts, ostensibly leaked by the same hacker, “Peace” (PDF), responsible for the 2012 breach.
Also, you read that right: Yahoo is blaming this attack on a “state-sponsored actor”. They haven’t disclosed any more than that, but in a June interview with Wired, Peace claimed to be Russian and working on behalf of a Russian “‘team,’ if you want to call it that”.
Peace is also responsible for the earlier leak of 65 million Tumblr accounts, originating sometime in 2013. It’s unclear whether there’s some overlap between the two data sets, as Yahoo acquired Tumblr that same year.
Update: Clarified the role of Peace in the 2012 attack.