Yahoo has tripled down on what was already the largest data breach in history, saying it affected all 3 billion accounts on its service, not the 1 billion it revealed late last year.

Share story

Yahoo, the internet company acquired by Verizon Communications Inc. this year, now believes a 2013 security breach affected all 3 billion of its users at the time.

The assessment, based on new intelligence obtained after the $4.5 billion acquisition, compares with Yahoo’s initial estimate that 1 billion accounts were compromised.

The stolen data could include names, email addresses, phone numbers, dates of birth, passwords that have been scrambled, or “hashed,” and encrypted or unencrypted security questions or answers, the company said.

The information stolen didn’t include passwords in clear text, payment data or bank accounts. Yahoo is notifying users.

Yahoo had already required users to change their passwords and invalidate security questions so they couldn’t be used to hack into accounts.
“Whether it’s 1 billion or 3 billion is largely immaterial. Assume it affects you,” said Sam Curry, chief security officer for Boston-based firm Cybereason. “Privacy is really the victim here.”

Verizon, which is combining Yahoo with its AOL business to attract more internet advertising, had negotiated a $350 million price cut on the deal after Yahoo disclosed the 2013 breach and a subsequent hack in 2014. The attacks exposed user accounts and threatened Yahoo’s trust with consumers.

Verizon, based in New York, was little changed in late trading.

Yahoo has said it wasn’t able to identify who was responsible for the 2013 breach, though the U.S. government has accused Russia of directing the 2014 hack. The 2013 intrusion was discovered by Andrew Komarov, chief intelligence officer for InfoArmor, who had been tracking a prolific Eastern European hacker group that he spotted offering 1 billion Yahoo accounts for $300,000 in a private sale.

By watching the group’s communications, he was able to determine that it sold the database three times. Two buyers were large spamming groups. The third buyer provided a list of 10 names of U.S. and foreign government officials and business executives to verify that their logins were part of the database, Komarov said. The unusual request, Komarov said, indicated that the buyer might be linked to a foreign intelligence agency.

Information from The Associated Press and Los Angeles Times was included in this report.