Yahoo says it believes more than one billion user accounts may have had data stolen in a cyber attack in 2013.
In another embarrassing episode for the US technology giant, it was different to the one in 2014, revealed this September, in which 500 million accounts were affected.
It made the latest discovery as it was investigating the hack from two years ago which it had said was “state sponsored”, although some analysts questioned that theory.
Yahoo believes an unauthorised third party had stolen the data in the newly revealed hack and said it was working closely with authorities.
It is thought to be the biggest data breach at an email provider.
Stolen user account information may have included names, email addresses, phone numbers, dates of birth, “hashed” passwords and, in some cases, encrypted or unencrypted security questions and answers.
Password hashing is a security measure and without it, all passwords stored in a compromised database would be exposed without any form of encryption.
Payment card data and bank account information were not stored in the system believed to be affected and the hackers did not obtain passwords in clear text, the company said.
It said in a statement: “Yahoo believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts.”
Yahoo said this case “is likely distinct from the incident the company disclosed on September 22, 2016”.
Verizon, which is in the process of buying Yahoo for $4.8bn (£3.8bn), said of the 2013 hack: “We will review the impact of this new development before reaching any final conclusions.”
The breach disclosed in September had already threatened to derail the deal or result in a reduction in the sale price.
Yahoo used to be one of the internet’s biggest names but has failed to keep up with the likes of Google and Facebook.
In the mid-1990s it was among the most popular sites, helping many people navigate the web.
But its fortunes started to fade when Google became the dominant search destination.