Yahoo this week will disclose a data breach that compromised the details of several hundred million users, technology news site Recode reported on Thursday, citing unnamed sources familiar with the company’s plan.
Reuters was not able to confirm the report.
It was not clear how such a disclosure might affect Yahoo’s plan to sell its email service and other core Internet properties to Verizon Communications for $4.8 billion.
Representatives at Yahoo (YHOO) and Verizon (VZ) could not be reached for comment. Shares of both companies were up 0.5% in late morning trading, compared with a 0.6% increase in the Nasdaq Composite index.
If a breach is confirmed, Yahoo would likely force users to change their passwords, said Linn Freedman, a privacy attorney with Robinson & Cole.
But Yahoo would likely not need to notify individuals affected via mail or provide them with credit monitoring services if the scope of the breach is limited to what has been described in press reports.
“If no financial information or Social Security numbers are involved, then most state laws would not require notification and credit monitoring would not be applicable,” Freedman said.
Recode’s report follows an August 1 story on the technology news site, Motherboard, which said a cyber criminal known as Peace was selling the data of about 200 million Yahoo users, but did not confirm its authenticity.
The Motherboard report was published a week after Verizon announced its deal with Yahoo.
Peace was selling that data for three bitcoin, or around $1,860, according to Motherboard. Details that were possibly compromised include user names, birth dates, some backup email addresses and scrambled passwords, Motherboard said.
Get Data Sheet, Fortune’s technology newsletter.
Gartner analyst Avivah Litan said that even though a breach had not been confirmed, all Yahoo users should assume their credentials were stolen and change their passwords.
Stolen passwords are valuable to cyber criminals, she said, because consumers often reuse passwords. Criminals use stolen credentials for so-called “credential stuffing” attacks, which Litan said have surged over the past 18 months.
In such attacks, criminals use automated programs to cycle through stolen user IDs and passwords and log into personal accounts on sites such as banks, travel firms and online gaming firms.
While the average success rate is only 1% to 2%, consumers stand to lose money, credit card data, frequent flyer points, and cash stored on merchant wallets, she said.
Fortune will update this story as it develops.
