Yahoo's (YHOO) troubles are far from over.

The internet giant confirmed today that "a copy of certain user account information" was stolen from the company in late 2014. Yahoo! CISO Bob Lord said in a statement that the company believes the hack was perpetrated by a "state sponsored actor." As many as 500 million user accounts were affected by the hack. The stolen information "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords."

Earlier this summer, the company said it was investigating news of a hack that exposed 200 million user accounts. One source speaking to Recode said "It's as bad as that. Worse, really." According to Motherboard, a hacker known as Peace, who was responsible for selling information on LinkedIn and Myspace users, was advertising credentials of Yahoo users online. The data dump was being sold for $1860. At the time, Yahoo said that they were aware of the claim but did not confirm or deny that Yahoo users were affected. The company never issued password resets, a usual course of action taken by websites that suspect a hack. (See also, Verizon Finally Acquires Yahoo Core Operations.)

Yahoo will be selling its internet assets to Verizon (VZ) for $4.8 billion, but the deal is still to be approved by regulators and shareholders. It is expected to be finalized in the first quarter of 2017. The confirmation of a data breach at this delicate time will make investors nervous and be another blow for CEO Marissa Mayer, who has faced severe criticism for not being able to turn the company around. She had said that she plans to stay with the company even after the sale.

Want to learn how to invest?

Get a free 10 week email series that will teach you how to start investing.

Delivered twice a week, straight to your inbox.