Yahoo has said more than a billion users may have had data stolen in a hack dating back to 2013.
The company believes the incident is separate from a previously disclosed breach affecting 500 million users.
"Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts," a statement said.
"Yahoo believes this incident is likely distinct from the incident the company disclosed on September 22, 2016."
The news could be a major blow to the struggling internet giant, which is in the process of selling its core operating assets to Verizon for $4.8 billion.
The breach disclosed in September, which affected 500 million, already the biggest of its kind, had posed a threat of derailing the deal with Verizon or resulting in a reduction in the price.
In November, Yahoo disclosed that as part of its investigation, it had received data files from law enforcement "that a third party claimed was Yahoo user data."
Using outside forensic experts, Yahoo confirmed that this was indeed user data but added that it "has not been able to identify the intrusion associated with this theft."
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, "hashed" passwords and, in some cases, encrypted or unencrypted security questions and answers.
The hackers did not obtain passwords in clear text, payment card data, or bank account information.
Yahoo's European HQ is in Ireland, with the office of the Data Protection Commissioner contacting the company in the wake of the September hack.