Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

The Yahoo breach of 500 million accounts, which is being blamed on a "state-sponsored actor," was way worse than anyone expected.

The internet company, which is in the process of being sold to Verizon, confirmed it had fallen victim to a hacker in late 2014 in what security experts are saying is believed to be the biggest breach of all time.

Byers Market Newsletter Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox. This site is protected by recaptcha

"This cycle [of credential spills] is typical, but the scale is pretty astounding," Shuman Ghosemajumder, chief technology officer of Shape Security, a Google Ventures-backed firm, told NBC News.

"Yahoo is such a general website so it represents a cross-section of the worldwide population that could be affected by this," he said. "This really takes the risk up to a new level."

In May, it was revealed that as many as 360 million Myspace usernames, emails and passwords for accounts created before June 11, 2013 may have been stolen by the same hacker who revealed the Yahoo breach last month to Vice's Motherboard. LinkedIn may have also fallen victim in a 2012 hack. Both companies said they required possibly impacted accounts to change their passwords.

Data security expert Timothy Carone, a professor at the University of Notre Dame's Mendoza College of Business, told NBC News these types of breaches can happen to any company.

"It is an arms race. Things like this are going to happen to the best in the business," he said. "I don't believe it is because Yahoo has been lax or has not taken this sort of thing seriously -- it could have every easily been someone else."

Bob Lord, Yahoo's chief information security officer, confirmed the breach in a statement on Thursday afternoon and said the company was "working closely with law enforcement on this matter."

The stolen account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, according to Lord, encrypted or unencrypted security questions and answers.