(Bloomberg) -- Yahoo! Inc. saidthe personal information of at least 500 million users was stolenin an attack on its accounts in 2014, exposing half of its roughly1 billion users ahead of Verizon Communications Inc.’s plannedacquisition of the web portal’s assets.

The attacker was a “state-sponsored actor,” and stoleninformation may include names, e-mail addresses, phone numbers,dates of birth, encrypted passwords and possibly security questionsand answers, Yahoo said Thursday in a statement. The continuinginvestigation doesn’t indicate the theft of payment data or bankaccount information, or unprotected passwords, the company said.Affected users are being notified and their accounts are beingsecured, it also said.

Related: Navigating the cyberinsurance maze: Inside theobligations and caveats

The disclosure of the data theft comes at a particularlysensitive time for Chief Executive Officer Marissa Mayer, as shenavigates the company toward a planned $4.8 billion acquisition byVerizon, set to close by early next year. Mayer, who has dealt withdifficulties and complaints about Yahoo’s e-mail service in thepast, needs to keep users logging in to drive traffic and draw theadvertising that fuels the company’s revenue growth, which has beensluggish under her leadership.

“Yahoo is working closely with law enforcement on this matter,”the company said in the statement. “Online intrusions and thefts bystate-sponsored actors have become increasingly common across thetechnology industry.”

Dark web marketplace

The confirmation that accounts were compromised came almost twomonths after the company said it was investigating claims that ahacker was offering to sell user account details stolen in a databreach. The same hacker who previously sold data taken fromLinkedIn and MySpace has posted information from 200 million Yahooaccounts on a dark web marketplace, Motherboard reported in earlyAugust. The stolen information being offered was most likely from2012, Motherboard reported, citing the hacker, who uses the namePeace.

It’s worth noting, though, that many of the stolen accounts in asample of data obtained by Motherboard were no longer in use andhad been canceled. The sale of all of the data for just under$2,000 also suggested that the information was of little value,either because most of it was obsolete, made-up, or useless becausethe hackers had already attacked legitimate accounts and exhaustedtheir need for the data.

Underscores danger

While the breach is a blow to Yahoo in particular, more broadly itunderscores the danger of large datasets spilling into the hackerunderground and being used for criminal purposes for years withoutthe breached companies knowing or with them only taking minimalaction based on whatever data hackers tell them was taken.

LinkedIn said in May that it was investigating whether a breachof more than 6 million users’ passwords in 2012 was bigger thanoriginally thought, following a hacker’s attempt to sell what waspurported to be login codes for 117 million accounts. The companysaid that it appeared more data was taken in the initial compromiseand that the company was just learning about the larger amountthrough the hacker’s posting.

Like many internet companies that have been breached, LinkedInonly reset passwords of everyone it believed was part of the breachat the earlier time, which amounted to 6.5 million users.

Related: 11 things to consider when crafting a cyberinsurance policy

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.