Call it Murphy's law in action: Yahoo has been hacked, in a big way.

The company reported last month it was aware a hacker was claiming to possess 200 million Yahoo user credentials. Now it's's been forced to acknowledge that claim is true -- and a "state-sponsored actor" was behind it.

"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo's network," the company announced Thursday. "Yahoo is working closely with law enforcement on this matter."

The good news is the hackers' haul "did not include unprotected passwords, payment card data, or bank account information," Yahoo says. But it did include names, email addresses, dates of birth and security-question answers, making account-holders vulnerable to other hacks. Yahoo says anyone who hasn't changed their password since 2014 should do so immediately.

Adding insult to injury for Yahoo users: The company probably could have told users to change their passwords when it first became aware that there might be a hack, but it didn't. Telling them now may be "a case of too little, too late," according to Recode editor Kara Swisher.

There's never a good time to get hacked, but for Yahoo the timing is especially lousy. The company is slated to sell its core business--which would include email--to Verizon for $4.8 billion. A possible concern now for shareholders, reports Swisher: Is that $4.8 billion going to dip to a lower price tag to reflect liabilities created by the hack?

It almost goes without saying that this reported security breach and the company's slow-footed response is going to find its way onto CEO Marissa Mayer's permanent record. The executive has faced nonstop criticism for her management style and choices as Yahoo's performance has faltered over the course of her tenure.