Yahoo announced today that the huge data breach in August 2013 affected every user using its services — that’s all three billion users and up from the initial one billion number Yahoo initially reported.
Since disclosing the hack in 2016, Yahoo continued to add more numbers of accounts compromised, but today’s announcement makes it clear that if you had a Yahoo email account, you were part of the breach.
In 2016, Yahoo said it took action to protect all accounts, including directly notifying impacted users identified at the time, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website.
The hack exposed user account information, which includes name, email address, hashed passwords, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers,” the company said back in 2016. Yahoo did confirm that passwords were not stolen in clear text, and hackers did not obtain bank or credit card information tied to the Yahoo accounts.
The news today comes four months after Yahoo was acquired by Verizon Communications (under a new division named Oath) for $4.48 billion — down $350 million from the initial offer due to the severity of the hacks.