Yahoo says information associated with at least 500 million user accounts was stolen from its network in 2014 by a "state-sponsored actor."
The company said on September 23 that an internal investigation has concluded that "certain user account information was stolen" and that the attack came from "what it believes is a state-sponsored actor."
Some U.S. intelligence officials, who declined to be identified by name, have told news agencies they believed the attack was state-sponsored because of its resemblance to previous hacks traced to Russian intelligence agencies or hackers acting at their direction.
Yahoo has said it was working with law enforcement on the matter.
A well-known U.S. cryptologist, Bruce Schneier, told media that the impact on Yahoo and its users remains unclear.
On its website on September 22, Yahoo encouraged users to change their passwords but did not require it.
The data stolen may have included names, email addresses, telephone numbers, dates of birth and hashed passwords but may not have included unprotected passwords, payment card data or bank account information, the company has said.
Based on reporting by Reuters and AFP