Yahoo says hackers stole information from about 500 million users in 2014 in what appears to be the largest publicly disclosed cyber-breach in history.
The breach included swathes of personal information including names and emails as well as “unencrypted security questions and answers”.
It did not include any credit card data, the site said, adding it believed the attack was state-sponsored.
In July, Yahoo was sold to US telecoms giant Verizon for $4.8bn (£3.7bn).
The FBI has confirmed it is investigating the attack.
Password change urged
Media captionSecurity expert Troy Hunt provides safety tips to Yahoo users
News of a possible major attack on the technology firm emerged in August when a hacker known as “Peace” was apparently attempting to sell information on 200 million Yahoo accounts.
Yahoo on Thursday confirmed the breach was far bigger than first thought.
The data taken includes names, email addresses, telephone numbers, dates of birth and encrypted passwords.
Yahoo recommended all users should change their passwords if they had not done so since 2014.
Questions for Yahoo: Analysis by Dave Lee, BBC North America technology reporter, San Francisco
The nature of the information stolen feels somewhat run of the mill – no payment info, and passwords were encrypted. Good. But the chain of events leading up to this unprecedented announcement gives rise to some incredibly pressing questions for Yahoo.
Why did it take so long for them to confirm the hack and its scale? Why did it take them so long to tell users and prompt them to protect themselves?
State-sponsored attacks are typically for political, not financial gain. So why were details reportedly being sold online? What evidence is there that it was state-sponsored?
Verizon, which has agreed to buy Yahoo, said it had not been told until a couple of days ago – why not? And why is Marissa Mayer, a chief executive who has presided over bad deals and now the biggest breach in internet history, still in charge?
Follow Dave on Twitter@DaveLeeBBC
Verizon told the BBC it had learned of the hack “within the last two days” and said it had “limited information”.
The company added: “We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.
“Until then, we are not in position to further comment.”
Yahoo said in a statement: “Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry.”
Image copyrightYAHOOImage captionYahoo published details of the breach on its Tumblr blogging site
Reuters reported three unnamed US intelligence officials as saying they believed the attack was state-sponsored because it was similar to previous hacks linked to Russian intelligence agencies.
Nikki Parker, vice-president at security company Covata, said: “Yahoo is likely to come under intense scrutiny from regulators, the media and public and rightly so. Corporations can’t shy away from data breaches and they must hold their hands up and show that they are committed to resolving the problem.”
She added: “Let’s hope the ink is dry on the contract with Verizon.”
Questions are being asked about the length of time it took Yahoo to fully acknowledge the breach.
“It is really worrying that a breach from 2014 can have gone undetected for so long,” said Prof Alan Woodward from the University of Surrey.
“It is also surprising the public statement took so long to appear.
Top 10 previous breaches
MySpace accounts – 359mLinkedIn accounts – 164mAdobe accounts – 152mBadoo accounts – 112mVK accounts – 93mDropbox accounts – 68mtumblr accounts – 65miMesh accounts – 49mFling accounts – 40mLast.fm accounts – 37m
Source – haveibeenpwned.com
“I would have thought most companies had learned by now that early disclosure is better, even if you have to revise and update as you learn more.
“I can understand a few days delay to confirm the breach is genuine as fake data dumps are increasingly common, but six weeks seems rather too long.”
The scale of the hack eclipses other recent, major tech breaches – such as MySpace (359 million), LinkedIn (164 million) and Adobe (152 million).
Yahoo was founded in 1994 by Jerry Yang and David Filo and in its first decade was a pioneer of internet services.
It was once the most popular website in the US and the company was worth about $125bn, but Yahoo lost ground towards the end of the first decade of the century, leading to its purchase by Verizon.
Verizon’s motivation for purchasing the struggling Yahoo was to simply gain its massive user base.
More than a billion people visit a Yahoo-owned site every month, and Verizon was hoping to use that to sell targeted advertising.
1994 Yahoo – which stands for Yet Another Hierarchically Organized Oracle – is founded2000 Yahoo valued at $125bn at height of dot.com boom2002 Google rejects a $3bn bid from Yahoo2008 Microsoft’s $44.6bn offer for Yahoo is turned down2013 Blogging site Tumblr acquired by Yahoo for $1.1bn2015 Yahoo makes net loss of $4.4bn2016 Verizon agrees $4.8bn deal to buy Yahoo