"As CEO, these thefts occurred during my tenure, and I want to sincerely apologize to each and every one of our users", she told the Senate Commerce Committee, which had called on her and on Equifax executives to discuss their recent incidents. Six months earlier, Yahoo was targeted for the second time in four years in an attack that compromised more than 3 billion email accounts.
In September, Equifax revealed that hackers had stolen the personal information of over 140 million U.S. consumers from its website.
Verizon, which now owns Yahoo, last month also said two breaches in 2013 and 2014 exposed 3 billion customer accounts - far more than the initial estimate.
"The threat from state-sponsored attacks has changed the playing field so dramatically that today I believe that all companies, even the most-well-defended ones, could fall victim to these crimes", she said.
"Unfortunately, while all our measures helped Yahoo successfully defend against the barrage of attacks by both private and state-sponsored hackers, Russian agents intruded on our systems and stole our users' data". A Mayer spokesperson said Tuesday she was appearing voluntarily.
Mayer volunteered to testify on data breaches, but only after being subpoenaed. Its chief security officer now reports directly to the CEO, and a new chief transformation officer is overseeing the firm's broader response.
The hearing comes after Equifax said failure to install a security update may have led to exposure of information of more than 145 million people in the USA and nearly 700,000 people in the UK. "This hearing will give the public the opportunity to hear from those in charge, at the time major breaches occurred and during the subsequent response efforts, at two large companies who lost personal consumer data to nefarious actors".
He said a federal law should replace that patchwork of laws.
Sen. Bill Nelson, D-Fla., said lawmakers need to have the political will to hold corporations more accountable for breaches.
They answered questions about the Equifax breach in September and Yahoo's in March.
At least 145.5 million USA consumers were affected by a separate attack on credit reporting company Equifax, an attack that has already been scrutinized heavily by regulators.
"To this day, we have still not been able to identify the intrusion that led to the attack".