The data breach happened in 2014 and is likely to have been carried out in a state-sponsored attack.
What was stolen
"The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," the company representative from Yahoo wrote.
An investigation by Yahoo confirms that the state-sponsored actor is no longer in the company’s network and it is working with law enforcement officials to try and resolve the issue.
"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected."
Customers were "to review their online accounts for suspicious activity and to change their password and security questions and answers for any other accounts on which they use the same or similar information used for their Yahoo account". And, in security advice that always applies, it advises its users to not click on any unknown links or suspicious attachments.
Before the company admitted the breach it was reported a “massive” data breach of its main service. Earlier this summer, Yahoo was investigating another data breach in which hackers claimed to have access to 200 million user accounts, details of which would be sold online. Yahoo described this recent hack as “worse” than that.
Yahoo’s CEO Marissa Mayer is about to close a deal with Verizon Communications Inc to acquire the internet firm for $4.8 billion (£3.6 billion). Yahoo still draws in one billion monthly users for its mail services and news and sports content.
For further reading please see: http://fortune.com/2016/11/09/yahoo-hack-data-breach-sec/