Every single one of Yahoo’s 3 billion users was impacted by a data breach in 2013, despite the company previously saying only 1 billion accounts were impacted, illustrating that the company is still wrestling with the full scope and details of the enormous breach.
The company, now part of Verizon’s Oath, disclosed the information in a quiet update to its account security update page.
“Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected,” Yahoo’s page reads.
The new conclusion comes based on “recently obtained new intelligence,” according to a statement from the company. “While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.”
The process of notifying all of the new victims will take several days.
The breaches also affected Verizon’s plans to buy Yahoo for $4.8 billion. A total of $350 million was slashed from the price and the deal closed in June 2017.
Shortly after the company made the announcement, lawmakers said Yahoo representatives would be among those called to testify in front of the Senate Commerce Committee about recent breaches.
“After a breach, affected consumers expect organizations that failed to safeguard sensitive information to be forthcoming about potential risks and explain how they plan to meet their obligations to mitigate damage that may not be known for months or years,” Sen. John Thune, R-S.D., said in a statement. “Later this month, the Commerce Committee will call representatives of Yahoo! and Equifax to testify about recent breaches, whether new information has revealed steps they should have taken earlier, and whether there is potentially more bad news to come. I expect witnesses to think hard about their obligations to consumers and offer a sober assessment of remaining risks that could be the subject of a future announcement.”
Yahoo’s exploding data breach totals came just hours after former Equifax CEO Richard Smith was grilled by U.S. lawmakers in a hearing about the recently disclosed data breach impacting 145 million consumers.
The Securities and Exchange Commission and Deloitte round out the two other major hacking victims to go public in just the last month.