Yahoo has disclosed a new security breach that may have affected more than one billion user accounts.
The breach dates back to 2013 and is thought to be separate from a massive cyber security incident announced in September, the company revealed on Wednesday.
"For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," said Bob Lord, Chief Information Security Officer, Yahoo, in a blog post.
The company previously disclosed that outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users' accounts without a password.
"Based on the ongoing investigation, we believe an unauthorised third party accessed our proprietary code to learn how to forge cookies. The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used," Lord said.
Yahoo says it was notifying the account holders affected. They will be required to change their passwords.
"We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account," added Lord.
Yahoo said it had connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft disclosed on September 22.