Yahoo says usernames and passwords of its email customers have been stolen and used to access accounts, but the company isn't saying how many accounts have been affected.
The company said in a blog post Thursday that "The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails."
"Security attacks are unfortunately becoming a more regular occurrence," Yahoo senior vice president for platforms and personalisation products Jay Rossiter said in the blog post.
"We regret this has happened and want to assure our users that we take the security of their data very seriously."
A malicious computer program armed with Yahoo Mail passwords and usernames apparently slipped into accounts aiming to glean names and addresses from messages that had been sent, according to Rossiter.
Yahoo recently discovered the invasion and suspected that the passwords were snatched from a third-party database that the company did not disclose.
"We have no evidence that they were obtained directly from Yahoo's systems," Rossiter said.
Yahoo said it was working with federal authorities to investigate the breach.
The company says it is resetting passwords on affected accounts and has "implemented additional measures" to block further attacks.
The company would not comment beyond the information in its blog post. It says it is working with US federal law enforcement.
It said: "We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account."
A spokesman for Yahoo!7 said the breach was a global issue. Australian users should change their passwords as soon as possible "making sure it's not similar to the old one".
He said users should change passwords regularly: "it's an education process".
The breach comes two months after researchers found personal data of a reported 152 million Adobe users online, following a massive security breach of Adobe's cloud services. Facebook followed that finding with a warning to its own users.