Computer hackers swiped personal information from at least 500m Yahoo accounts in 2014, the US tech company has announced, in what is believed to be the biggest ever digital break-in at an email provider.
The massive security breakdown disclosed on Thursday was blamed by Yahoo on a "state-sponsored actor" - parlance for a hacker working on behalf of a foreign government.
The California-based company did not explain what took so long to uncover the breach, and declined to explain how it reached its conclusions about the hacker. It said, however, it was working with the FBI and other law enforcement as part of its ongoing investigation.
The stolen data includes users' names, email addresses, telephone numbers, birth dates, scrambled passwords, and security questions - and answers - used to verify an account holder's identity.
READ MORE: Could Russian hackers change the US election result?
Last month, the tech site Motherboard reported that a hacker who uses the name "Peace" boasted that he had account information belonging to 200m Yahoo users and was trying to sell the data on the web.
Yahoo is recommending that users change their passwords if they haven't done so since 2014. The company said the attacker didn't get any information about its users' bank accounts or credit and debit cards.
The data breach poses new headaches for Yahoo CEO Marissa Mayer as she tries to close a $4.8bn sale to Verizon Communication.
News of the security lapse, which dates back to late 2014, could cause some people to have second thoughts about relying on Yahoo services, and raise questions about the checks and balances within the company.
READ MORE: US - Chinese national jailed over military hacking
The sale to Verizon, announced two months ago, is not supposed to close until early next year.
That leaves Verizon with wiggle room to renegotiate the purchase price, or even back out if it believes the security breach will harm Yahoo's business.
Source: News Agencies