The breach included swathes of personal information including names and emails as well as “unencrypted security questions and answers”, reports BBC.
It did not include any credit card data, the site said, adding it believed the attack was state-sponsored.
In July, Yahoo was sold to US telecoms giant Verizon for $4.8bn (£3.7bn).
The FBI has confirmed it is investigating the attack.
Password change urged
News of a possible major attack on the technology firm emerged in August when a hacker known as "Peace" was apparently attempting to sell information on 200 million Yahoo accounts.
Yahoo on Thursday confirmed the breach was far bigger than first thought.
The data taken includes names, email addresses, telephone numbers, dates of birth and encrypted passwords.
Yahoo recommended all users should change their passwords if they had not done so since 2014.
The nature of the information stolen feels somewhat run of the mill - no payment info, and passwords were encrypted. Good. But the chain of events leading up to this unprecedented announcement gives rise to some incredibly pressing questions for Yahoo.
Why did it take so long for them to confirm the hack and its scale? Why did it take them so long to tell users and prompt them to protect themselves?
State-sponsored attacks are typically for political, not financial gain. So why were details reportedly being sold online? What evidence is there that it was state-sponsored?
Verizon, which has agreed to buy Yahoo, said it had not been told until a couple of days ago - why not? And why is Marissa Mayer, a chief executive who has presided over bad deals and now the biggest breach in internet history, still in charge?
Verizon told the BBC it had learned of the hack "within the last two days" and said it had "limited information".
The company added: "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.
"Until then, we are not in position to further comment."
Yahoo said in a statement: "Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry."