On September 22, 2016, Yahoo publicly announced that account information for at least 500 million users was stolen from its network in late 2014. The compromised information included names, email addresses, telephone numbers, birth dates, hashed passwords and security questions and answers. Yahoo believes the attack was perpetrated by a statesponsored actor, but did not provide further detail as to who that might be. In its announcement, Yahoo assured users that the “stolen information did not include unprotected passwords, payment card data, or bank account information,” and that the company is “working closely with law enforcement” to address the matter.
Yahoo has been criticized for the two-year delay in disclosing the breach. On September 27, 2016, six Democratic Senators sent a joint letter to Yahoo CEO Marissa Mayer, demanding more details about the breach and Yahoo’s response, including a timeline and an explanation for how “such a large intrusion of Yahoo’s systems [could] have gone undetected.”