More than one billion Yahoo accounts may have been affected in a hacking attack dating back to 2013, the internet giant reveals.
Yahoo said it appears separate from a breach disclosed in September, when it revealed some 500 million accounts were accessed in 2014.
The company said names, phone numbers, passwords and email addresses were stolen, but not bank and payment data.
When Yahoo disclosed in September the 2014 data breach, the internet giant said information had been “stolen by what we believe is a state-sponsored actor”. Yahoo did not say which country it held responsible.
The 2014 breach included swathes of personal information, including names and emails, as well as “unencrypted security questions and answers”.
Yahoo has come under pressure to disclose why it took so long for the breach to be made public.
The new breach raises fresh questions about Verizon’s $4.8 billion proposed acquisition of Yahoo, and whether the US mobile carrier will try to modify or abandon its bid.
If the hacks cause a user backlash against Yahoo, the company’s services would not be as valuable to Verizon.
In a statement, Verizon said that it would evaluate the situation as Yahoo investigates and would review the “new development before reaching any final conclusions”.
On December 14, Yahoo said that users should change their passwords and security questions.