Yahoo has confirmed that it knew for two years that a “state-sponsored actor” had hacked into its network.
It added that a panel of independent experts was now investigating exactly how much was known and by whom.
When Yahoo first disclosed the theft of millions of its users’ details in September, it only made mention of a “recent investigation”.
At the time, Verizon – which is buying part of Yahoo – said it had only been told of the breach the same week.
In its latest filing to the Securities and Exchange Commission (SEC), Yahoo acknowledged that the telecoms firm might now reconsider the $4.8bn (£3.9bn) takeover of its internet operations.
“As a result of facts relating to the security incident [Verizon] may seek to terminate the stock purchase agreement or renegotiate the terms of the sale,” it said.
There had already been speculation that Yahoo had been aware of a problem for some time.
In September, the Wall Street Journal reported that the tech firm had detected a cyber-breach in the autumn of 2014 that it believed had been launched from computers in Russia. However, the paper said that its unnamed source did not know whether the two attacks were connected.
In its filing, Yahoo indicates that it only discovered information from at least 500 million accounts – including names, email addresses, telephone numbers, dates of birth and unencrypted security questions and answers – had been stolen after it had looked into another unsubstantiated claim.
It said that it subsequently “intensified an ongoing broader review” that caused it to re-examine “access to the company’s network by a state-sponsored actor”, which it had identified in late 2014.
It added that evidence had since come to light that suggested the hacker had created cookies that let them bypass the need to enter passwords to access users’ accounts.
And it revealed that law enforcement officers had been given data by a hacker who claimed it had come from Yahoo’s users accounts. The firm said it would now help analyse the shared data.
“It was a good day to bury the news,” commented Dr Joss Wright from the University of Oxford’s Internet Institute, referring to the fact that Yahoo’s filing had coincided with the US election results.
“Because there’s rarely a large visible event when a breach happens, companies can choose not to report them hoping that they can fix the problem internally.
“They may calculate the risk to their reputation outweighs the potential risks of the details later coming out beyond their control.
“That’s why we need to have better enforced laws that require companies to reveal breaches and notify their consumers.”
Yahoo did acknowledge a server breach in October 2014 but said at the time that no user data had been lost.
A spokeswoman for Yahoo was unable to comment about the timing of the filing or provide other information.