Back in August, Motherboard's Joseph Cox reported that 200 million apparent Yahoo user credentials were being sold on the dark web. At the time, the company's response was only that it was "aware of [the] claim."
But now Kara Swisher, one of the tech industry's most respected journalists, is reporting for Recode that Yahoo sources tell her the company is preparing to publicly confirm the hack. (Her sources did not confirm its exact size, only that it was "widespread and serious.")
Yahoo did not immediately respond to Business Insider's request for comment.
Motherboard was told by the hacker who held the data (and was selling it for 3 bitcoins, worth $1,860 at the time) that the breach was carried out in 2012 — and was never made public. Data included usernames, encrypted passwords, date-of-births, and some email addresses.
A spate of historic data breaches affecting millions of users have recently been coming to light, affecting companies including LinkedIn, MySpace, and Tumblr. If user passwords are unencrypted (or not encrypted properly), hackers can then use this login data to break into individual user accounts — and often, because people reuse passwords across multiple sites, the hackers can use the information to break into accounts on other sites as well.
We saw multiple high-profile demonstrations of this problem this summer, as celebrities and public figures including Mark Zuckerberg and Drake had their Twitter accounts broken into. Twitter wasn't hacked — but the victims had reused passwords that were also used on hacked websites.
This new attention on the alleged breach comes at an awkward time for Yahoo. The tech company is selling its core business to Verizon for $4.8 billion (£3.7 billion) after years of flagging fortunes.
There's nothing ordinary users can do to prevent these kinds of breaches, but using a strong, unique password on each website or service you have an account on (managing those passwords with a password-manager app if necessary) will help limit the damage.