On Thursday, Yahoo issued a statement confirming that at least 500 million users’ account data had been compromised in late 2014, supposedly by a “state sponsored actor,” or an individual hired by some governmental body to carry out the hack.

According to the statement, the data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords …and, in some cases, encrypted or unencrypted security questions and answers.” Yahoo indicates no financial data was breached.

Users who had or used Yahoo services, including Mail, Flickr, Fantasy Sports, and others, during that timeframe are being advised to change their passwords for Yahoo and any other services that may use the same login credentials, as well as changing security questions for other services.

Lots of questions surround this breach, with one of the most notable being why Yahoo waited so long to announce the hack. Many speculate information was concealed to prevent souring the sale of Yahoo to Verizon. CNN reports that Verizon learned of the hack for the first time this week.

As email senders and recipients, most of us care much less about Yahoo and Verizon’s financials than about potential fallout from the breach including identify theft, spam email, and even blackmail. Even if credit card data wasn’t stolen, the hackers now have personal information about millions of Yahoo users, including answers to some of the questions most commonly used to verify their identity.

Yahoo’s wait to announce the hack could mean the greatest damage has already been done: hackers often act quickly with stolen data, selling or sharing it quickly to outrun detection attempts. However, if the breach truly was initiated by a foreign government, the motivation may not be so clear.

Yahoo has said they are cooperating with Federal authorities to investigate, and it’s a safe bet we’ll hear more details as the investigation continues.

– BG