The US company said the hack, which happened in August 2013, was uncovered when law enforcement agencies handed over Yahoo user data stolen by a third party earlier this year.
Users names, emails, phone numbers and dates of birth could have been accessed, along with passwords and answers to security questions, although people’s bank details had been protected, Yahoo said. The latest figures show that the company has around one billion users a month – meaning this attack will affect most of Yahoo’s customers worldwide.
The Telegraph reports that The incident is the second to befall the company in recent months: in September, Yahoo revealed that at least half a billion users, including eight million from the UK, had their account data stolen from its networks in 2014 what it described as a “state-sponsored” attack. Yahoo said the 2013 incident was thought to be separate from the previously disclosed attack.
It separately revealed on Wednesday that it believed the same intruder responsible for the 2014 attack had also got into Yahoo’s system by forging cookies, data which allows websites to keep track of visitors, in order to access some user accounts, although it did not specify how many.
Yahoo said that it was notifying users who may have been affected and had taken steps to secure their accounts, as well as encouraging people to change their passwords and check for suspicious activity.
A number of major businesses use Yahoo’s email systems, including Sky and BT, and is likely to raise questions about how Yahoo allowed such a breach to happen.
Yahoo joins a growing list of popular social sites that have retrospectively discovered the loss of user information. Earlier this year the details of hundreds of millions of users of the social networks MySpace, LinkedIn and Tumblr were also found for sale online.