Yahoo has updated the number of accounted breached during a 2013 data theft. The company now says all 3 billion of its accounts were hacked, tripling its earlier estimate. Last December, Yahoo said that data from more than 1 billion accounts was compromised in the breach. Yahoo is now saying that “recently obtained new intelligence” showed that all of its user accounts had been affected.
The theft included names, birth dates, phone numbers, security questions, and backup email addresses, along with other personally identifying information. The company said that the stolen information did not include clear text passwords, payment card data, or bank account information. No one knows exactly what happened to the data after it was stolen in 2013.
Attorneys said that the new revelation sharply increases the legal exposure of Yahoo’s new owner, Verizon Communications Inc. John Yanchunis, a lawyer representing some of the affected Yahoo users, said, “It’s really mind-numbing when you think about it.” Yanchunis said his team plans to use the new information to expand its allegations.
To date, the Yahoo hack is the largest breach in history. That data breach and the disclosure of a previous theft forced Yahoo to cut the price of its assets in its sale to Verizon. That separate attack, which occurred in 2014, had affected 500 million accounts. Yahoo maintains that the breaches in 2014 and 2013 are not related.
The Verizon deal was first announced in July, but had been delayed as the companies assessed the consequences of the two data breaches. In February, Verizon lowered its original offer for Yahoo’s assets by $350 million. The company ended up paying $4.48 billion for Yahoo’s core business.
That investigators did not discover the full extent of the 2013 incident earlier was surprising to outside cybersecurity analysts. They added that anyone who had used Yahoo should be diligent about monitoring their personal accounts. Verizon said in a statement it would continue to work closely with law enforcement on the matter. The company also said it was sending email notifications to the additional affected user accounts.