A complete database of usernames, passwords and dates of birth are being offered for sale for three bitcoins by a bloke who calls himself Peace.The hack apparently took place in 2012.
A spokesYahoo said it was taking the claim "very seriously" and was "working to determine the facts".
"Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms," the outfit said.
The passwords were hashed but the hacker has also published details of the algorithm allegedly used for the hash which was the rather weak MD5. This one can be hacked using a dictionary attack,
Motherboard, which first reported the alleged breach, obtained a small sample of the data - some 5,000 records, and tested whether they corresponded to real accounts on the service.
It found that most of the first two dozen Yahoo usernames tested did correspond to accounts.
However, attempts to contact more than 100 of the addresses in the sample saw many returned as undeliverable with auto-responses reading: "This account has been disabled or discontinued," which might suggest that the data is old.
Earlier this month, Yahoo was sold to US telecoms giant Verizon for nearly $5bn so it might become their problem.