Yahoo has confirmed that a 2013 data breach affected all 3 billion of its accounts – three times the number previously reported.
The disclosure came from Oath, a subsidiary of US telecomms company Verizon, which acquired Yahoo’s online assets in June for $4.48bn.
The purchase price had been cut after revelations of the 2013 data breach and another in 2014 which affected 500 million accounts and resulted in charges for Russian intelligence operatives and a pair of hackers.
Regarding the 2013 breach, Oath and Verizon said the additional user accounts affected were being notified.
The hack was disclosed by Yahoo in December last year, when it said that approximately one billion of its three billion users were affected.
After Yahoo was acquired by Verizon, however, the company “obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected”.
They added: “While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts.
“The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information.
“The company is continuing to work closely with law enforcement.”
Chandra McMahon, chief information security officer at Verizon, said: “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
The Yahoo breach is believed to be the largest in terms of the number of people affected, although the recently revealed hack at credit agency Equifax is seen as more damaging due to the sensitive nature of data gained.