The breach is the second mammoth attack on Yahoo uncovered this year and has affected more than double the number of accounts compared with a breach revealed in September – which the firm said was “distinct” from the latest intrusion.
The hack stretched back to August 2013 and led to personal data – such as names, email addresses, dates of birth, passwords and phone number – being stolen from accounts. Yahoo added in a statement:
Payment card data and bank account information are not stored in the system the company believes was affected.
Verizon: Deal or no deal?
The news could have huge implications for the future of the internet company and a $4.8bn (£3.8bn) takeover by US telecoms giant Verizon. Following September's revrelations, Verizon was forced to admit it was considering its options.
However, in the wake of the latest news Verizon was keeping its powder dry for now, it said:
We [Verizon] will review the impact of this new development before reaching any final conclusions.
A spokesperson for Yahoo told Reuters that Verizon has been kept fully appraised of the latest breach and the firm is confident the incident will not impact the Verizon deal.
Whereas Yahoo blamed the September breach on hackers working on behalf of a government organisation, it currently had no more information as to the identify of the latest attack: “The company has not been able to identify the intrusion associated with the theft.”
Separately, the internet company is also concerned about the creation of “forged cookies”, which could allow hackers to access user accounts by the back door – bypassing password verification.
It has enlisted the help of forensic experts and has ascertained such issues are connected to the “state-sponsored actor” from the attack announced in September.