ICO data regulator Steve Eckersley told the BBC that discussions with the internet firm revealed that “over eight million UK people had been affected” by the cyber attack, which compromised around 500 million Yahoo accounts globally.
Mr Eckersley called the figures “quite concerning”.
Earlier, Information Commissioner Elizabeth Denham said “serious questions” must be asked of Yahoo following the hack.
“The vast number of people affected by this cyber attack is staggering and demonstrates just how severe the consequences of a security hack can be,” she said.
“People’s personal information must be securely protected under lock and key - and that key must be impossible for hackers to find.”
Yahoo confirmed that while most user passwords were encrypted and not visible to hackers, many security questions and answers linked to accounts were. This has led to criticism from analysts over Yahoo’s security set-up and failure to report the breach.
Alex Mathews, from online security firm Positive Technologies, said: “The elephant in the room is Yahoo’s admission that ‘encrypted or unencrypted security questions and answers’ might be amongst the hackers’ haul.
“If the investigation determines that this extremely sensitive information were stored unencrypted, then serious questions need to be answered as this lack of security will highlight serious failings by Yahoo in its responsibility to protect customers.”
Yahoo has urged all users to change their passwords and security questions in wake of the breach.
The company said on Thursday that it believed a “state-sponsored actor” stole information including names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers.
An investigation is still continuing into the breach, which Yahoo said happened in late 2014.
The company said that the stolen information did not include unprotected passwords, payment card data, or bank account information, which is not stored in the system that was targeted.
A statement released by Yahoo added: “The investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
Yahoo said it is notifying any potentially affected users and asking any users that have not changed their passwords in the last two years to do so.
A list of security tips published on the company’s Tumblr platform on Thursday read: “Change your password and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
“Review your accounts for suspicious activity.
“Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
“Avoid clicking on links or downloading attachments from suspicious emails.”
Bob Lord, Yahoo’s chief information security officer (CISO), said: “An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries.
“Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Network security company NSFocus said that the Yahoo breach had been originally reported in 2012, but that the numbers of users affected had been significantly underestimated.
Stephen Gates, chief research intelligence analyst at NSFocus, said: “In 2012, the number of potentially compromised user credentials was estimated to be around 450,000.
“However, the hacker known as Peace is claiming to have up to 500 million user credentials he/she is now attempting to sell online.”
He echoed Yahoo’s advice for users to change their passwords and added that companies must also take further measures to protect user data.
“Enterprises must first assess what hackers would likely want to steal from them,” he said.
“Once identified, enterprises must use all measures at their disposal to protect that data - at all costs.”
Other organisations have commented on the effect the breach could have on Yahoo’s impending takeover by US telecoms company Verizon.
The firm announced in July that it would be buying Yahoo’s operating business - including its search and email services and news pages - for 4.83 billion US dollars (£3.7 billion).
Mark James, of internet security company ESET, said: “As Verizon are about to buy Yahoo, they will have to consider the backlash of future issues with compromised account data.”
Others say that the breach draws attention to outdated security systems across other websites.
Brian Spector, chief executive of Miracl, said: “The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that we as individuals store and access online today.
“By contrast, new, secure methods of multi-factor authentication can provide much stronger security, and make database hacks, password reuse, browser attacks and social engineering a thing of the past.”