Yahoo Inc. said Thursday that hackers backed by an unnamed foreign government had stolen personal information from more than 500 million of its users’ accounts, one of the largest security breaches of the Internet age.
Meanwhile, a website with suspected ties to the government of Russia leaked stolen information about the travel itinerary of Vice President Joe Biden and First Lady Michelle Obama, including a scanned image of her passport.
The Yahoo breach puts at risk passwords, e-mail address, and phone numbers for millions of users. Yahoo urged consumers to be wary of suspicious e-mails.
The two episodes are the latest sign that the world’s best computer security engineers seem incapable of securing the nation’s critical computer networks against spies and criminals.
Federal law enforcement officials are looking into both cyber attacks.
Last month, US officials said Russian hackers attacked voter registration computers in Illinois and Arizona, and stole personal information on as many as 200,000 Illinois voters. In July, thousands of e-mails stolen from the Democratic National Committee were made public; again, US intelligence officials blamed Russia. In June 2015, the Office of Personnel Management said criminals believed to be working on behalf of China had stolen the records of 21.5 million current or former US government employees.
“You cannot assume that anything electronic is safe, that anything digital is safe,” said Jeff Pollard, a digital security analyst for Cambridge-based Forrester Research.
The Yahoo saga began in August, when the website Motherboard reported that a hacker known as “Peace” was attempting to sell copies of a file containing 200 million stolen Yahoo user accounts for about $1,900. Yahoo investigated and concluded there was no truth to the claim. But during the investigation, Yahoo’s researchers uncovered a much worse data breach that had gone undetected for two years.
Yahoo said it believes the hack was carried out by “a state-sponsored actor” — in other words, an unidentified foreign government. The stolen data are believed to include names, e-mail addresses, telephone numbers, dates of birth, and encrypted passwords.
Yahoo said the thieves did not gain access to computers containing unprotected passwords, payment card data, or bank account information. Yahoo urged its users to check their accounts for signs of suspicious activity and to change their passwords and security questions immediately.
Users of Yahoo Mail were also told to beware of suspicious e-mail messages. These could be fraudulent “phishing” messages sent to people whose addresses have been stolen, seeking to get further data.
‘‘We take these types of breaches very seriously and will determine how this occurred and who is responsible,’’ the FBI said in a statement.
Yahoo, founded in 1994, was an early star of the dot-com boom, but its Internet search business was eclipsed by Google’s and it struggled to compete for advertisers. Its finances steadily weakened, and in July it struck a deal to be acquired by Verizon Communications Inc. for $4.83 billion. Thursday’s disclosure could complicate the deal, as Verizon said it learned of the hack “within the last two days.”
Still, the company is one of the world’s leading online destinations for news and information, and its e-mail service is used by hundreds of millions of people. Its websites, which include Yahoo News and Tumblr, attract about a billion users per month worldwide. In the United States alone, the company’s various Internet services attract over 200 million users a month, making it the third most popular Internet destination, after Google and Facebook.
The typical Yahoo user might not seem important enough to be targeted by foreign agents. But Stuart Madnick, professor of information technologies at the MIT Sloan School of Management, said the records of a seemingly insignificant person could someday prove useful. “It’s stockpiling weapons,” Madnick said. “At some point in the future you might be somebody important.”
Besides, he said, a successful raid on Yahoo would teach lessons that could be used in attacks on other targets. “If it does work,” he said, “I’m going to do it to Microsoft next, I’m going to do it to Google next.”
Bruce Schneier, a fellow at the Berkman Klein Center for Internet & Society at Harvard University, said the Yahoo breach was very serious because so many Internet users routinely store sensitive data on Internet-based systems — not on the hard drives in their desktop PCs, for example. “We no longer keep our stuff on our computers,” he said. “We keep our stuff on their computers.”
But Schneier, who is also chief technology officer of Resilient, an IBM data security company, said consumers are still better off relying on cloud-based services. These systems, despite their flaws, are still more secure than the average home computer. “For most people,” he said, “these companies do a much better job of protecting their data then they do.”
The stolen information about Michelle Obama was part of a batch of e-mails from February 2015 through July 2016 and purportedly hacked from the Gmail account of a White House “advance” staffer responsible for the logistics of official trips. The breach included the photo and information page of her passport, including passport number, birth date, and place of birth — most of which is public information.
The White House said it was looking into the breach, as did the attorney general.
NBC News reported the e-mails were sent from the Gmail account of Ian Mellul, a contractor at the White House. They included sensitive information such as the names of Secret Service and White House Military Office personnel who traveled with President Obama to Cuba; a guide to computer security for the president’s staff while traveling abroad; and travel schedules for Democratic presidential candidate Hillary Clinton and her husband, former president Bill Clinton.