Yahoo says hackers stole information from about 500 million users in 2014 in what appears to be the largest publicly disclosed cyber-breach in history.
The breach included swathes of personal information, including names and emails, as well as “unencrypted security questions and answers”.
It did not include any credit card data, the site said, adding it believed the attack was state-sponsored.
In July, Yahoo was sold to US telecoms giant Verizon for $4.8bn (€4.2bn, £3.7bn).
The FBI has confirmed it is investigating the attack.
News of a possible major attack on the technology firm emerged in August when a hacker known as "Peace" was apparently attempting to sell information on 200 million Yahoo accounts.
Yahoo on Thursday confirmed the breach was far bigger than first thought.
The data taken includes names, email addresses, telephone numbers, dates of birth and encrypted passwords.
Yahoo recommended all users should change their passwords if they had not done so since 2014.
Reuters reported three unnamed US intelligence officials as saying they believed the attack was state-sponsored because it was similar to previous hacks linked to Russian intelligence agencies.
Nikki Parker, vice-president at security company Covata, said: "Yahoo is likely to come under intense scrutiny from regulators, the media and public and rightly so. Corporations can't shy away from data breaches and they must hold their hands up and show that they are committed to resolving the problem."
She added: "Let's hope the ink is dry on the contract with Verizon."
Questions are being asked about the length of time it took Yahoo to fully acknowledge the breach.
"It is really worrying that a breach from 2014 can have gone undetected for so long," said Prof Alan Woodward from the University of Surrey.
"It is also surprising the public statement took so long to appear.