But details over who pulled off the more serious 2013 hack continue to elude Yahoo, Mayer said during Wednesday's hearing, which was focused on protecting consumers from future data breaches.
Yahoo initially revealed its breach previous year, later lowering the price for its main web properties for a sale to Verizon Communications Inc.
At least 145.5 million USA consumers were affected by a separate attack on credit reporting company Equifax, an attack that has already been scrutinized heavily by regulators.
The 42-year-old, who testified before the Senate Commerce Committee on Capitol Hill in Washington on Wednesday, said the thefts occurred during her almost five-year tenure and she wants to 'sincerely apologize to each and every one of our users'. "The DOJ and Federal Bureau of Investigation praised Yahoo for our extensive cooperation and early, proactive engagement with law enforcement", Mayer said. She said "really aggressive" pursuit of hackers was needed to discourage the efforts, and that even the most well-defended companies "could fall victim to these crimes". But the suspected involvement of Russian agents in its breach shows companies still face a formidable challenge, she said.
"We describe this as arms race, hackers become ever more sophisticated and we have to become sophisticated in turn", Mayer said.
Ms Mayer said increasing the potential consequences of hacks for the perpetrators would help deter attacks, on both the state-sponsored and commercial side.
The credit reporting company has reshaped management since hackers obtained personal data on more than 145 million people, he said. Florida Sen. Bill Nelson asked Mayer.
Consultants hired by Equifax to investigate haven't been able to identify the attackers, according to a summary of their report provided to Senate staff before Wednesday's hearing and obtained by Bloomberg. "We don't exactly understand how the attack was perpetrated", Mayer told the senators.
The stolen account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, the company said.