Yahoo in early August said it was aware of an alleged security breach involving the login credentials of some 200 million Yahoo accounts but didn’t confirm or deny its authenticity.

As it turns out, the breach was indeed legitimate and much worse than initially thought.

Yahoo on Thursday said it has confirmed that certain user account information was stolen from its network in late 2014 by what it believes was a state-sponsored actor. Data that may have been compromised included names, e-mail addresses, phone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and in some cases, encrypted or unencrypted security questions and answers.

Unprotected passwords weren’t compromised nor were payment cards as the latter weren’t stored on the affected system.

Whereas initial reports pegged the breach at 200 million accounts, Yahoo is now saying that data was stolen from at least 500 million accounts. Re/code said earlier today that the breach may prompt a government investigation due to its sheer size.

In addition to working with law enforcement on the matter, Yahoo said it is notifying potentially affected users and taking steps to secure their accounts including invalidating unencrypted security questions & answers and asking users to change their passwords. Those that haven’t changed their passwords since 2014 are also being encouraged to do so.

It’s unclear why it took nearly a month and a half for Yahoo to publicly confirm the breach although Engadget speculates that it might have something to do with Verizon’s active acquisition of Yahoo.