The company admitted last night as many as 500m of its users' personal details had been compromised in a 2014 breach by what it called a "state-sponsored actor".
What was stolen?
In an email sent out to users, Yahoo said the stolen information may have included names, email addresses, phone numbers, dates of birth, "hashed" (masked) passwords, and in some cases security questions and answers.
Was anything not stolen?
The company said its investigation suggests the information did not include unprotected passwords, payment card data and bank account information. It added that bank account information and payment card data isn't stored in the system that was breached.
The hack doesn't affect Tumblr accounts.
How to protect yourself
Yahoo recommended that users change their password and security questions for any accounts which use similar or the same information as their Yahoo accounts (ie. if your Gmail account uses a similar password, change it now).
Keep an eye out for suspicious activity on all your accounts, and beware of unsolicited communications from people or web pages asking for information, and suspicious attachments you weren't expecting.
The Yahoo hack is said to be the biggest ever - even beating a 2008 breach of MySpace, in which almost 360m accounts' details were stolen. The hack wasn't revealed until May this year, when it was put up for sale on the "Real Deal" dark market website.