Yahoo! is resetting email account credentials for an unspecified number of accounts after warning attackers stole usernames and passwords in a "coordinated effort".
Attackers appear to have leveraged credentials held by an unnamed third party service and were targeting users' most recent sent emails, the company said.
Yahoo! did not specify how the attacks were conducted or when, but said it had no evidence that its internal infrastructure had been compromised.
"Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise," Yahoo! platforms senior vice president Jay Rossiter said.
"We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts."
Affected users would need to set a new password and configure two factor authentication.
Yahoo! said it was working with US federal law enforcement in its investigation of the attacks.
It had also implemented "additional measures" to "block attacks against Yahoo’s systems".
The company recommended users adopt implement strong passwords that were not reused on other sites.