Yahoo said last week that it has uncovered a "coordinated effort" to gain access to Yahoo Mail accounts.
Yahoo believes that the list of usernames and passwords used to carry out the attack was obtained from a third-party database compromise.
"We have no evidence that they were obtained directly from Yahoo's systems," Jay Rossiter, senior vice president of platforms and personalisation products, wrote in a blog post.
"Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts," he continued. "The information sought in the attack seems to be names and email addresses from the affected accounts' most recent sent emails."
Yahoo reset the passwords of the affected accounts and is using second sign-in verification to have users validate their accounts.
"Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account," Rossiter said.
He also encouraged users not to use the same passwords on multiple services across the web because that can make them "particularly vulnerable to these types of attacks."
Yahoo said it has put in place other security measures to block attacks on its systems, but did not elaborate. "We regret this has happened and want to assure our users that we take the security of their data very seriously," Rossiter concluded.
Yahoo's revelation comes in the wake of a number of high-profile breaches of popular US retailers, including Target, Neiman Marcus, and Michaels.
Microsoft has also found itself the victim of a number of attacks on its social media profiles and official blogs.