The breach disclosed on Wednesday occurred in 2013 and, like the one in 2014, allowed the hackers to obtain personal information but not credit card details. Here is what Yahoo says the hackers obtained:

Yahoo believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts…. names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

The term “hashed passwords” means that the hackers obtained scrambled versions of user passwords, meaning they could not be immediately deciphered. But as Yahoo notes, some of the hacks revealed unencrypted security answers—which would provide a quick way into users accounts.

Get Data Sheet, Fortune’s technology newsletter.

The upshot is that anyone who uses Yahoo accounts for email or services like fantasy sports, should change their passwords immediately. The company says it is the in the process of notifying affected consumers.

It is unclear how many (if any) of the Yahoo accounts exposed in the newly-disclosed 2013 attack were also breached in the 2014 attack.

Yahoo did not identify the hackers responsible for the 2013 hack. But on Wednesday, the company provided new details of the 2014 attack, and once again pointed to “the same state-sponsored actor” who committed the 2014 breach. If it was indeed a “state-sponsored actor,” potential culprits would include China, Russia, or North Korea, all of which have engaged in serious hacking and espionage directed at U.S. targets in the past.

The latest hacking news also puts a further cloud over phone giant Verizon’s plan to acquire Yahoo.

“As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions,” Verizon spokesman Bob Verettoni said in a statement.

Verizon’s Yahoo Acquisition Might Not Be a Smart Move

The issue hanging over Yahoo is when the company discovered the breaches—and whether it failed to disclose the incident in a timely manner. If the company indeed hushed it up, it would likely provide grounds for Verizon to demand a lower price for Yahoo or to call off the deal entirely. Yahoo also faces class action lawsuits over the hacking incidents.

The entire story of what Yahoo knew, and when, is still not entirely clear. In November, the company told regulators that some employees discovered evidence of hacking in 2014, but at the same suggested the employees not appreciate the severity of them.

This story was updated at 6:30pm ET to clarify details of the 2013 and 2014 breaches.