Hackers managed to steal data from 500 million Yahoo email accounts and the tech giant is now under pressure to explain how the cyberattack happened.
The US technology giant believes the 2014 attack, which has only just come to light, was state-sponsored and could be the biggest ever security breach for a firm.
Yahoo said the stolen information may have included names, email addresses, dates of birth, hashed passwords and, in some cases, security questions and answers.
It did not include unprotected passwords, payment card data or bank account information, the firm said.
:: What do you do now if you have an account?
Yahoo is advising account holders to change their passwords, not only on their Yahoo accounts, but on all linked accounts or those which have the same or similar passwords.
It says this is particularly important if you haven’t changed your Yahoo password since 2014.
Yahoo says it is notifying potentially affected users of the attack by email.
:: Are you still at risk?
It’s impossible to say definitively if Yahoo, or indeed any other accounts, are still at risk because the world of cybercrime is constantly evolving.
What Yahoo says is that there is no evidence that what it calls "the state sponsored actor" – the person or body it is blaming for the hack – is currently in Yahoo’s network.
:: Why has it taken two years to tell us?
So far Yahoo has not shed any light on why it has taken two years for the company to tell its account holders they have been hacked.
The obvious answer might be that Yahoo has only just found out about the hack, but there has been speculation for some time that the company had been targeted.
So perhaps the better question might be – why didn’t Yahoo warn its account holders of the possibility of an attack and urge them to change their passwords regardless?
:: Who’s in the frame?
It’s difficult to say at this point exactly who carried out the hack and why.
Yahoo refers constantly to a "state sponsored actor" but so far has given no evidence for that, let alone which state sponsored it and why Yahoo was attacked.
Again some might see that as something of a smokescreen, given that there is no question from Yahoo that the hack happened and that its security and therefore that of its account holders was breached.
Who did it and why is an interesting detail, but must surely be secondary to account holders whose primary focus is likely to be the loss of their personal details in the first place.
Meanwhile, the fallout from the Yahoo data theft may have implications for the €4.8bn (£3.7bn) takeover of its core business, experts have said.
Verizon, the US telecoms firm which agreed to buy Yahoo’s main internet operation in July, said it was alerted to the breach by Yahoo "within the last two days".
In the wake of Yahoo’s admission, it said: "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities."
(c) Sky News 2016