Yahoo was forced by a secret court order to build a tool that scanned all of its customers' emails for specific information supplied by US intelligence agencies.
The report comes from Reuters, citing three sources who are familiar with the events.
According to the report, the tool was built in 2015 at the behest of either the NSA or the FBI (it's not clear which, given the NSA usually funnels its requests through the FBI), according to the sources.
Engineers at the company were told to build the tool "to siphon off messages containing the character string the spies sought and store them for remote retrieval," the report said.
But weeks later, the company's internal security team -- at the time led by Alex Stamos, who left the company to work for Facebook in mid-2015 -- found out about the program. The team is said to have thought that hackers broke in. The report also said that a programming flaw could have allowed hackers into the stored emails.
Stamos reportedly resigned as chief information security officer, said Reuters. (Stamos did not respond to the news outlet's request for comment, but we asked the company to comment regardless.)
An NSA spokesperson did not immediately return a request for comment.
The American Civil Liberties Union called the order "unprecedented and unconstitutional".
"The government appears to have compelled Yahoo to conduct precisely the type of general, suspicionless search that the Fourth Amendment was intended to prohibit," said staff attorney Patrick Toomey.
The Foreign Intelligence Surveillance Court, which authorizes the government's surveillance requests, signed off on the unusual request, which is thought to be the first of its kind.
But it's not known exactly who was the target of the broad request. Other companies may have also been served a similar demand, because it wasn't known which service the target's email account was hosted with.
The court's work -- usually conducted in secret -- first became public after a FISA court order, leaked by whistleblower Edward Snowden, was published by reporters in June 2013, which detailed how Verizon was forced to turn over metadata on all its customers on a rolling basis.
However, the government has used the court to push for more from US tech companies, including their source code.
The vast majority of requests made by the government are accepted. At the last count, just 12 requests have been denied in the past four decades that the court has been operational.