Yahoo! says hackers have probably stolen details from more than a billion user accounts, including names, addresses, phone numbers, and weakly hashed passwords in attacks dating back to 2013.
Chief information security officer Bob Lord said in a statement that this event is likely a separate haul unrelated to past breaches.
"We analysed this (stolen) data with the assistance of outside forensic experts and found that it appears to be Yahoo! user data," Lord says.
"Based on further analysis of this data by the forensic experts, we believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts.
"We have not been able to identify the intrusion associated with this theft."
Passwords were hashed using the easy-to-subvert MD5 hash. Reg tech staff, on learning of the breach, say they started using more secure ciphers years before this breach. Some encrypted and cleartext security questions and answers have been stolen.
Payment card data was not affected.
The theft leaves enormous numbers of users at potential risk of social engineering and identity theft since criminals can use the personal information to assist in assuming identities and target victims with spear phishing campaigns.
It also brings Yahoo!'s acquisition by Verizon into question, as the much smaller September breach prompted questions about whether the purchase price Verizon will pay for the company should be reduced. ®