Yahoo on Thursday said that information associated with at least 500 million user accounts was stolen from its network in 2014 by what it believed was a "state-sponsored actor."
"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen," a statement from the US Internet giant.
"Yahoo is working closely with law enforcement on this matter."
The comments were the first confirmation from Yahoo on the huge data breach, and come after a report earlier this year quoting a security researcher saying some 200 million accounts may have been accessed.
In July, Yahoo was sold to United States telecoms giant Verizon for $4.8 billion (Rs 32200 crore).
The FBI has confirmed it is investigating the attack.
Stolen information may have included names, email address, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims' other online accounts, according to Yahoo.
The ongoing investigation suggested that looted data did not include unprotected passwords or information associated with payments or bank accounts, the Silicon Valley company said.
Yahoo is asking affected users to change passwords, and recommending anyone who hasn't done so since 2014 take the same action as a precaution.
Users of Yahoo online services were urged to review accounts for suspicious activity and change passwords and security question information used to log in anywhere else if it matched that at Yahoo.
"Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry," Yahoo said in a release.
"Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account."