The Verizon-owned company issued a statement today saying that the August 2013 data theft it previously disclosed in December 2016 was more widespread than thought. At the time Yahoo believed the hack affected 1 billion of its accounts. Now, however, Yahoo thinks all 3 billion of its accounts were affected:
Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.
Yahoo has now updated its Yahoo 2013 Account Security Update FAQs page where affected users (that is, everyone who had a Yahoo account in 2013) can go to find out more information about the breach.