Yahoo said Thursday a massive attack on its network in 2014 accessed data from at least 500 million users and may have been "state sponsored."
"Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen," a statement from the US Internet giant.
"Yahoo is working closely with law enforcement on this matter."
The comments were the first confirmation from Yahoo on the huge data breach, and come after a report earlier this year quoting a security researcher saying some 200 million accounts may have been accessed.
Stolen information may have included names, email address, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims' other online accounts, according to Yahoo.
The ongoing investigation suggested that looted data did not include unprotected passwords or information associated with payments or bank accounts, the Silicon Valley company said.
Yahoo is asking affected users to change passwords, and recommending anyone who hasn't done so since 2014 take the same action as a precaution.
Users of Yahoo online services were urged to review accounts for suspicious activity and change passwords and security question information used to log in anywhere else if it matched that at Yahoo.
"Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry," Yahoo said in a release.
"Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account."