The breach included swathes of personal information, including names and emails, as well as “unencrypted security questions and answers”.
The hack took place in 2014 but has only now been made public.
Yahoo said it believed the attack was state-sponsored. The FBI has confirmed it is investigating.
The data taken includes names, email addresses, telephone numbers, dates of birth and encrypted passwords, but not credit card data, Yahoo said.
News of a possible major attack on the technology firm emerged in August when a hacker known as "Peace" was apparently attempting to sell information on 200 million Yahoo accounts.
On Thursday, Yahoo confirmed the breach was far bigger than first thought.
Yahoo is recommending all users should change their passwords if they have not done so since 2014.