Yahoo confirmed on Thursday that information associated with at least 500 million user accounts was stolen.
An investigation by Yahoo confirmed that a data breach in late 2014 revealed information that may have included names, email addresses, telephone numbers, dates of birth, and some passwords and security questions and answers. That information may now be in the hands of a state-sponsored actor that no longer appears to be in the Yahoo network, the company said.
Payment card data, bank account information and certain passwords were not stolen, it said in a statement. Yahoo is advising potentially affected users to change their passwords and invalidate their security questions and answers.
Recode had originally reported that Yahoo was poised to announce a data breach, but that article estimated only that hackers had access to "several hundred million user accounts." In August, Yahoo said it was investigating a possible breach after a hacker claimed to have stolen 200 million Yahoo user accounts, less than half of what was announced on Thursday.
Recode's earlier reporting also indicated the information was from 2012 rather than 2014.
It comes as Yahoo has been increasingly cracking down on state-sponsored attacks, after launching a program that has notified 10,000 users of state-sponsored targeting since December 2015.
Verizon, which agreed to buy Yahoo earlier this year, confirmed it was notified of the Yahoo breach within the last two days, but has "limited information" on the attack and will evaluate as the investigation continues.
The FBI said in a statement it "is aware of the intrusion and investigating the matter."
"We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals," the agency said.
Speed is important when responding to a breach, in order to mitigate the impact, cybersecurity experts agree.
"Every day it goes undetected, unchecked, that's going to escalate damage," said Matt Ehrlich, vice president of fraud and identity product strategy at Experian.
— Reporting by CNBC's Harriet Taylor and Tae Kim.