Just a couple of months after it revealed a similar attack – but one that impacted 500m accounts rather than 1bn in the latest revelation – the timing could hardly have been worse.
US telecoms giant Verizon is in the process of buying Yahoo in a deal worth $4.8bn (£3.8bn). After the last attack, Verizon said it was considering its options. This time, Yahoo said Verizon was fully aware of what had gone on and wasn't going to be pulling out as a result.
The hack stretched back to August 2013 and although no bank account details were pinched, a range of other data such as birthdays and email addresses were nabbed.
Nevertheless, experts stress it is distinctly embarrassing for the internet firm. Here's what some of them have to say on the matter...
The EU won't be happy
Sarah Stephens, head of cyber at insurer JLT Specialty, said:
"It is fairly extraordinary that a delay of several years could have occurred before the scale of the attack was uncovered. A sophisticated and well-established tech behemoth such as Yahoo is likely to have best in class intrusion detection and escalation capabilities, and the fact that this discovery comes only a few months after its previous discovery in September, raises serious questions about the company's security."
It's critical for companies in the EU - who will be facing data breach reporting requirements in less than 18 months - to ramp up their detection capabilities now.
EU regulators will not look favourably on three year delays in detection when determining how severe fines should be.
Jane Frost CBE, CEO of the Market Research Society said:
Adequate data protection comes down to fundamental respect for people and their personal data.
"This latest breach highlights how businesses can fall foul to having inadequate data protection policies in place. It’s fundamental to good business practice to embed the right data structures to safeguard the data we all rely on for commercial and public services. Safeguarding tools already exist to help organisations protect data
"Unless action is taken these breaches will not only continue to happen, but happen with increasing frequency; sadly it’s just not enough of a board-level priority in many cases."
You're once, twice...
Ashley Winton, chairman of the UK Data Protection Forum, said:
The adage ‘once bitten, twice shy’ doesn’t appear to be working for Yahoo. Although we don’t know the full details, a number of important lessons can be inferred from news of one of the largest hacks in history. Firstly, hacking is no longer a game but if it were, the hackers would be winning.
"Again we can see that the Yahoo systems had suffered a historic compromise without Yahoo!’s existing and sophisticated security systems detecting the intrusion.
"In October, Verizon’s general counsel told reporters that it was reasonable that the first breach may be a material change to the plans for the $4.8bn acquisition. It has become clear that good cyber security due diligence is now an essential step for M&A or PE activity, especially if you are the acquirer or investor seeking a discount.”