Marking the biggest data breach in history, hackers swiped personal information associated with at least a half billion Yahoo accounts, confirms Yahoo in a press release on Thursday.

The hack took place two years ago and exposed not only names, phone numbers, email addresses, birth dates but in some cases also security questions and answers and encrypted passwords.

The internet giant said it’s “working closely” with law enforcement and called the hackers a ‘state-sponsored actor’ meaning an individual acting on behalf of a government. However, the country behind the hack was not yet identified.

Yahoo asked users to urgently change their passwords, especially if they haven’t done it since 2014.  Experts are working on alternatives to passwords, such as biometrics like fingerprint or retina. In the meantime, though we are strongly advised by cyber-security specialists to choose different passwords for every virtual account we own.

According to  Brett McDowell, executive director of the FIDO Alliance, an organization that vets the security of password alternatives, cyber criminals know that consumers use the same passwords across websites and applications, that being the reason why ‘these millions of leaked password credentials are so useful for perpetuating fraud’. ‘We need to take that ability away from criminals, and the only way to do that is to stop relying on passwords altogether.’ McDowell adds.

Verizon, which is in the process of buying Yahoo for $4.83 billion said it was notified about Yahoo’s security incident only recently. Verizon agreed to buy Yahoo’s core properties a few days before the hack was first reported. The telecommunications giant had ‘limited information and understanding of the impact,’ according to a statement. A spokesperson for Verizon said in a statement provided to CNN Money that the problem will be evaluated ‘through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities’.