The breach caps off a year of blunders for Yahoo as its $4.8 billion sale to Verizon hangs in the balance.
The company also said it analysis has led it to believe the same state-sponsored hackers were involved in this newly-disclosed attack.
Verizon, which was reported to have reached a deal to buy Yahoo in July for $4.8 billion, reportedly asked for a $1 billion discount on the acquisition price in October. Yahoo has argued that news of the 2014 hack didn't negatively affect traffic to its services, strengthening its contention that the Verizon deal should be completed under the original terms.
Verizon declined to comment beyond an earlier statement on the breach. "Based on the ongoing investigation", Lord said, "we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies..."
Yahoo also previously disclosed an investigation into the creation of forged cookies that could allow an intruder to access users' accounts without a password.
On Thursday, Yahoo's stock plunged 6 per cent as investors anxious that Verizon would abandon the purchase. "If the liabilities of the rest of the company are more significant-because of lawsuits and damages and reputational damage-than we had thought, that could impact the deal financially". If Verizon finds that the overall value of Yahoo hasn't changed, then the issue could be resolved by simply splitting future liabilities. Yahoo closed down 6.1% at $38.41.
In the latest case, telephone numbers, names, email addresses, hashed passwords, dates of birth, and unencrypted and encrypted security questions were among the data stolen.
The company added that some of its partners were affected.
Yahoo has said that payment data, bank account information and passwords in plain text were not compromised by the breach.
Yahoo this week provided details about another security breach that exposed the data of "more than one billion user accounts".
"As we've said all along, we will evaluate the situation as Yahoo continues its investigation", the statement said.
Bloomberg reported that the latest reported Yahoo! hack affected more than 150,000 government employees. And neither Yahoo nor the public had any idea it had occurred until a month ago, when law enforcement authorities came to the company with samples of the hacked data from an undisclosed source. "If you're using a password manager, you simply change the single affected password and get on with your day", says Ron Winward of security vendor Radware.
"The trust that your users have in you is directly tied to the level of security they expect", he said.
"If this was the work of a rogue insider or an external hacker, it is highly likely they would have attempted to cover their tracks, using a credential which authorised them to delete or amend security logs - effectively hiding their digital crime forever".
The sides were close to an agreement, the people familiar said, but that has been derailed after the discovery of this latest, larger breach.
Steve Grobman, chief technical officer at Intel Security, said the two incidents show "there were clear weaknesses in the architecture" used by Yahoo but that such hacks are not just about technology.