Yahoo has been struggling for a while, but it’s finally ‘fessing up: The once-dominant web empire announced Thursday that hackers stole personal information for over 500 of its users back in 2014.

Yahoo still hasn’t quite finalized a $4.8 billion sale to Verizon Wireless, so having one of the biggest known data breaches in America in the 21st century on its resume doesn’t look good. The hack affected more users than the 360 million hit by the Myspace hack revealed earlier this year.

Although the breach was two years ago, the potential damage done is likely far from over. Hackers managed to get names, email addresses, telephone numbers, birth dates, passwords, and in some cases, security questions of the users compromised. For reference, the House Oversight Committee says a data breach of 22 million government employees in 2014 and 2015 could have ramifications for American citizens for the next decade.

While it’s likely the Yahoo breach isn’t quite that severe, it’s suggested that all users change their passwords for both their Yahoo and Yahoo-managed (such as Flickr) accounts and review their accounts for suspicious behavior. It’s unclear if Yahoo-owned Tumblr was affected by the hack, but users should change the passwords for any accounts using the same information as their Yahoo accounts. So far the investigation suggests that the hack did not impact systems where payment and banking information is kept, according to a press release put out by Yahoo.

Yahoo is already working with the FBI to investigate the breach. The company believes a “state-sponsored actor” is accountable for the hack.

“State sponsored” probably means one of these dudes (Russian President Vladimir Putin and Chinese President Xi Jinping).
"State sponsored" probably means one of these dudes (Russian President Vladimir Putin and Chinese President Xi Jinping).

In August, Motherboard reported that the Russian hacker “Peace” was selling information from roughly 200 million Yahoo users on a black market online marketplace. At the time, reports assumed the information was from a 2012 hack, but it now seems more likely the information was from the 2014 breach.

“Peace_of_mind is the same actor whom Flashpoint previously reported as selling leaked MySpace and LinkedIn account credentials in May 2016,” Vitali Kremez, Cybercrime Intelligence Senior Analyst at Flashpoint, a cyber intelligence firm, told Inverse in an email. “This actor, who is also a co-founder of TheRealDeal Marketplace, is considered highly credible based on past activity and feedback from customers.”

It’s unclear if the breach is related to reports that the company was serving up malware-laced ads in 2014 that made users susceptible to hackers.

Photos via Getty Images / Lintao Zhang, Getty Images / Ethan Miller