The company said in a statement Wednesday after the markets closed that unnamed attackers stole the accounts in August 2013, a year prior to a previously disclosed attack, in which attackers stole around 500 million accounts in September 2014.
The company wasn't able to identify the intrusion associated with the August 2013 breach.
The statement said the hackers may have stolen names, email addresses, telephone numbers, hashed passwords (using the weak, easy-to-crack MD5 algorithm), dates of birth, and in some cases, encrypted or unencrypted security questions and answers.
Yahoo said it has invalidated unencrypted security questions and answers so that they cannot be used to access affected accounts.
Payment card data and bank account information, stored in separate systems, are not thought to have been stolen in the attack.
Source code stolen
The company admitted that hackers may have developed a way of accessing accounts without a password by stealing Yahoo's secret source code.
"Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies," which can be used to store authentication credentials locally.
"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used," the statement said.