Yahoo today revealed it had recently identified a new system breach that occurred in August 2013 and involved data associated with more than one billion user accounts.
The company said it believed the incident was separate from the breach it disclosed in September, when information associated with at least 500 million user accounts was stolen from its network in 2014.
Yahoo, which is being acquired by Verizon, said an unauthorised third party had stolen the data in the latest breach, and that it was working closely with law enforcement.
The company’s chief information security officer Bob Lord said in a statement that the company had not been able to identify the intrusion associated with the data theft.
Based on an ongoing investigation by outside forensic experts, Lord said Yahoo believes the attacker accessed the company’s proprietary code and learnt how to forge cookies.
The use of forged cookies is similar to the 2014 data breach, pointing to a connection between the two mass hacks, Lord said.
"We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.
The company said the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
"The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information," Lord said.
"Payment card data and bank account information are not stored in the system the company believes was affected."
It is urging Yahoo users to change their passwords, and has invalidated unencrypted security questions and answers so they can't be used to access an account.