That’s three billion accounts — including email, Tumblr, Fantasy and Flickr — or three times as many as the company initially reported in 2016.
Names, email addresses and passwords, but not financial information, were breached, Yahoo said last year.
The new disclosure comes four months after Verizon (VZ, Tech30) acquired Yahoo’s core internet assets for $4.48 billion. Yahoo is part of Verizon’s digital media company, which is called Oath.
Verizon revised the number of breached accounts to three billion after receiving new information.
“The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” Verizon said in a statement.
Verizon would not provide any information about who the outside forensics experts are.
Yahoo will send emails to the additional affected accounts. Following the hacking revelations last year, Yahoo required password changes and invalidated unencrypted security questions to protect user information.
According to experts, it’s not uncommon for forensic investigations to expose a greater number of victims than initial estimates.
“This often happens with breaches, on a much smaller scale,” said Wesley McGrew, a security expert at Horne Cyber. “Initially, the investigation establishes a set of compromised systems and data that encompasses a set of users, then later something is discovered that expands the compromised systems [or] access.”
He also said that internal investigations might miss something, and outside experts focused on digital forensics will find more than an internal team.
Ben Johnson, chief technology officer at Obsidian Security, says Yahoo may never know exactly what was accessed. In any breach it’s safe to assume the number of affected accounts will be adjusted, he said.
In the case of the massive breach at credit monitoring firm Equifax, for instance, the company initially said the hacking affected 100,000 Canadians, but later revised that number to just 8,000.
Johnson said it’s possible that during due diligence of the company’s sale, investigators found new information. Another scenario is that accounts thought not to be compromised may have appeared for sale or are being used by criminals.
“The fact is attackers are having field days and the problem is only going to get worse,” Johnson said.
Yahoo was also hit by a hack in 2014, which affected around 500 million people and is believed to be separate from the 2013 breach. In March of this year, the Department of Justice indicted four people in connection with the 2014 attack — two Russian spies and two hackers.
It’s unclear who exactly was behind the 2013 break-in, but cybersecurity analysts reported in December that the stolen data was up for sale on the dark web, a murky network only accessible through certain software.
Whether or not people use Yahoo services, they should always practice proper computer hygiene, experts say, such as not reusing passwords and implementing two-factor authentication on all their accounts.