SAN FRANCISCO – All 3 billion of Yahoo’s users as of 2013 were affected by a data theft the company originally said had only affected 1 billion users, Yahoo's new parent said Tuesday.
That makes the Yahoo hack far and away the largest in history, and further dents the reputation of an Internet pioneer that was forced to sell itself off after a succession of CEOs failed to revitalize its user and revenue growth as Facebook and Google grew to dominate the digital ad market.
The additional two billion data theft victims came to light as Yahoo was being integrated with Verizon, which bought the company in June for $4.5 billion after shaving the price in light of earlier-disclosed breaches.
"During integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft," the company said in a statement posted on its website Tuesday.
Verizon negotiated down its purchase price for Yahoo by $350 million because of two massive breaches the online media company suffered. The first, in 2013, was believed to be the largest reported data breach ever, involving the theft of data associated with more than one billion user accounts. Yahoo revealed that breach in December 2016.
The other breach, which occurred in 2014 and was revealed by Yahoo in September 2016, affected at least 500 million Yahoo accounts and was believed to have been the work of a state-sponsored actor. Four people, including two Russian intelligence officers, were charged in that attack.
The revelation is black eye for new parent Verizon, particularly with cybersecurity risks in the limelight after the Equifax breach.
It could have been worse: the stolen information was mostly confined to the users' ID's on Yahoo and their email addresses, but did not include passwords in clear text, payment card data, or bank account information.
Yahoo said it would send email notifications to the additional affected user accounts.
The company, then run by CEO Marissa Mayer, disclosed in November that law enforcement officials had given it data files showing what appeared to be evidence that an unknown third party had access to Yahoo user data.
At the time, Yahoo brought in outside forensic experts and confirmed that the data was in fact from Yahoo users. It later said a breach affected more than one billion user accounts.
Yahoo said in 2016 it did not know who was behind the theft.
The company said that the attackers stole the user information from its system in August 2013. However it didn't know when they had gained entry to its network or how long they were there before they stole the user information.