Hackers stole information from about 500 million users from Yahoo, the company has confirmed.
The breach occurred in late 2014 and included swathes of personal identifiable information, as well as “unencrypted security questions and answers”.
It did not include any credit card data, the site said, adding it believed the attack was state-sponsored.
In July, Yahoo was sold to US telecoms giant Verizon for $4.8bn (£3.7bn).
It is not yet known if the breach will have an impact on that sale or its valuation.
News of a possible major attack on Yahoo emerged in August when a hacker known as “Peace” was apparently attempting to sell information on 200 million Yahoo accounts.
Yahoo on Thursday confirmed the breach was far bigger than first thought.
It recommended all users should change their passwords if they had not done so since 2014.
“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” the company said in a statement.
“What is noticeable here is that this breach is massive,” said Nikki Parker, vice-president at security company Covata.
“Yahoo is likely to come under intense scrutiny from regulators, the media and public and rightly so. Corporations can’t shy away from data breaches and they must hold their hands up and show that they are committed to resolving the problem.”
She added: “Let’s hope the ink is dry on the contract with Verizon.”
The scale of the hack eclipses other recent, major tech breaches – such as MySpace (359 million), Linkedin (159 million) and Adobe (152 million).