Yahoo said on Wednesday that it has identified a new breach that occurred in August 2013 and involved data associated with more than one billion user accounts, double the number affected in a different breach disclosed in September.
Yahoo said it believed the latest incident was likely distinct from the breach disclosed in September, when it said information associated with at least 500 million user accounts was stolen in 2014.
The 2014 breach was believed to be the world's biggest known cyber breach by far.
The company, which is being acquired by Verizon for about $4.8 billion, said an unauthorized third party had stolen the data in the latest breach and that it was working closely with law enforcement.
The company said it has not been able to identify the intrusion associated with the theft.
The search giant said in a statement, "The company has connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."
Yahoo said the stolen user account information may have included names, e-mail addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Payment card data and bank account information were not stored in the system believed to be affected, the company said.
Yahoo, whose shares were down more than 2 percent in extended trading, said it is notifying potentially affected users and has taken steps to secure their accounts.
Verizon said, "we will review the impact of this new development before reaching any final conclusions." Verizon shares were little changed in late trade.
— CNBC.com contributed to this report.