About 500 million Yahoo users were hit by the 2014 hacking attack, the tech giant has confirmed.
The breach, the largest publicly disclosed in history, included swathes of personal information including names and emails as well as “unencrypted security questions and answers”.
According to Yahoo, the breach did not include any credit card data. The site said it believed the attack was state-sponsored.
In July, Yahoo was sold to Verizon for $4.8 billion.
News of a possible major attack on Yahoo emerged in August when a hacker known as “Peace” was apparently attempting to sell information on 200 million accounts.
On September 22, Yahoo confirmed the breach was far bigger than first thought.
The data taken includes names, email addresses, telephone numbers, dates of birth and encrypted passwords.
Yahoo recommended all users should change their passwords if they had not done so since 2014.
It said in a statement: “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.”
Reuters reported three unnamed US intelligence officials as saying they believed the attack was state-sponsored because it was similar to previous hacks linked to Russian intelligence agencies.