As a result, Yahoo! will now require affected users to change their passwords and use a one-time second sign-in verification to re-secure their accounts, Yahoo! Inc. Senior Vice President Jay Rossiter wrote in a blog post.
"We regret this has happened and want to assure our users that we take the security of their data very seriously," Rossiter said in the blog.
He did not say when the breach occurred, other than "recently." He called it a "coordinated effort" but did not say which third party was involved.
Yahoo! -- the second-largest webmail provider, with an estimated 400 million email accounts -- is working with federal law enforcement authorities "to find and prosecute the perpetrators responsible for this attack," Rossiter said.
The 20-year-old company, which first offered a free email service in 1997, has also implemented unspecified "additional measures" to prevent future attacks, he said.
The email attack follows a string of security breaches, including attacks on retailers, notably Target Corp., affecting 110 million customers, and smartphone photo messaging application Snapchat, revealing parts of 4.6 million usernames and phone numbers.
Yahoo! Mail went down for five days in December, leaving about a million users with no email.
"This has been a very frustrating week for our users and we are very sorry," Chief Executive Officer Marissa Mayer wrote Dec. 13.
Yahoo! was hacked in July 2012, with attackers stealing 450,000 email addresses and passwords from a Yahoo! contributor network.
A year ago a hacker and computer-security researcher said in a Twitter message a security vulnerability placed the 400 million Yahoo! email users at risk. Yahoo! later said it fixed the vulnerability.
Many Yahoo! employees use Microsoft Outlook for corporate email instead of Yahoo! Mail, and Yahoo! is struggling to get them to switch, the Wall Street Journal reported, citing a November internal memo.