Newsroom

Yahoo, Inc., admitted Thursday that a 2014 data breach affected at least 500 million users – more than double initial estimates of 200 million.

If Yahoo's estimate is accurate, the breach would now be the largest on record, trumping the MySpace breach that affected 427 million users earlier this year.

Yahoo said it believes the breach was perpetrated by a state actor. The breach compromised information including users' names, email addresses, phone numbers, birth dates, encrypted passwords and some security questions and answers. Yahoo said it does not appear payment card information or bank account information was compromised.

Yahoo said it is working with law enforcement and it recommended users who have not changed their passwords since 2014 to do so. Yahoo is also notifying potentially affected users and has invalidated unencrypted security questions and answers.

Earlier on Thursday, sources had told Recode that Yahoo would shortly admit to having suffered a breach affecting as many as 200 million users or more.

Yahoo first announced it was investigating a potential data breach in August, after rumors started.

The announcement comes amid negotiations over a $4.8 billion sale of Yahoo's core business to Verizon, and it could affect the price of the sale.

NAFCU continues to push for a strong national data security standard through the "Data Security Act" (H.R. 2205/S. 961), which would hold retailers and others to the same standards credit unions already follow under the Gramm-Leach-Bliley Act and institute strict consumer notification requirements.