Yahoo has confirmed a 2014 user data breach was far larger than originally thought, with 500 million accounts and customer details stolen.
Yahoo's chief information security officer Bob Lord today confirmed that the information captured may have included user names, email addresses, telephone numbers, dates of birth and clear-text and encrypted security questions and answers.
But the company said no credit or debit card data or bank accounts were taken, given they weren't stored in the targeted system.
Account passwords were also copied by the hacker, but were hashed in most cases with the bcrypt function, which is considered resistant to brute-force cracking attempts.
Lord said Yahoo believes the hack was instigated by a state-sponsored actor, but did not provide specifics. He said Yahoo has found no evidence the state-sponsored hacker still had access to the company's network.
Yahoo is working with the authorities on the data breach, and has begun notifying users and asking them to change their passwords. The company suggested users switch to the Yahoo Account Key authentication tool, which does away with passwords altogether.
The breach first came to light in August this year, when a hacker nicknamed Peace advertised some 200 million Yahoo accounts for sale at the price of three Bitcoin (A$2340).
Peace is thought to be connected to the 2012 hack of professional networking site LinkedIn, which saw over 100 million accounts put on sale in 'dark web' forums.
Yahoo is currently being readied for sale to United States telco Verizon, in an A$6.7 billion deal.
Verizon told Reuters the company discovered the extent of the breach two days, and that it would "evaluate as the investigation continues through the lens of overall Verizon interests".