This article is more than
6 year oldThe incident was reported two years later.
The firm said "state-sponsored" hackers had stolen personal information, which included names, emails, unencrypted security questions and answers.
The ICO said Yahoo had failed to take appropriate measures to protect it.
Yahoo said it did not comment on regulatory action.
"The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data," wrote deputy commissioner of operations James Dipple-Johnstone in a blog.
"Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens' data being compromised."
Around eight million of the affected accounts were believed to belong to people in the UK.
The ICO's investigation also found:
Verizon acquired Yahoo in 2017 and combined it with AOL to form a company called Oath.
The firm was investigated under the UK 1988 Data Protection Act which pre-dates the new European data regulation GDPR.
Tony Pepper, CEO of Egress Software Technologies, said the data breach would go down in history as "one of the most notorious" - both because of its size and the two-year period between the attack and the report.
"Although the fine has been a long time coming, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than the GDPR which has much tougher consequences for a breach," he said.
Newer articles
<p>A US judge has ruled against Donald Trump getting his hush money conviction thrown out on immunity grounds.</p>