X

Yahoo now says all 3 billion accounts hit in 2013 breach

The largest hack in history just got three times worse for the faded internet pioneer.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
Los Angeles Exteriors And Landmarks - 2017

Yahoo said in December that 1 billion accounts had been hacked in the 2013 breach. 

FG/Bauer-Griffin/GC Images

The largest hack in history just became triple the trouble for Yahoo .

Yahoo revealed Tuesday that every single one of its 3 billion accounts got hacked in a 2013 breach. Late last year, it had said that the attack compromised 1 billion accounts -- which already made it the largest data breach ever.

The new information stems from an investigation that followed Verizon 's takeover of Yahoo in June in a $4.48 billion deal.

To put things in perspective, 3 billion -- every account ever registered on Yahoo -- is greater than the number of every user on Facebook, Instagram and Twitter combined.

"Following an investigation with the assistance of outside forensic experts, [we believe] that all Yahoo user accounts were affected by the August 2013 theft," Suzanne Philion, a spokeswoman for the Verizon unit Oath, said in a statement on Tuesday.

It's a landmark development for an already historic breach, and it comes as people are still reeling from yet another supersized hack, an incident at credit-monitoring company Equifax. That one, revealed less than a month ago, affected 145 million Americans, or roughly half the US population, and last week cost Equifax's CEO his job.

The Yahoo news came on the same day that members of Congress heard testimony from that ex-CEO, Richard Smith, and criticized Equifax for allowing the breach in the first place and for its handling of the matter since then.

Watch this: Former Equifax CEO apologizes to Congress, blames hack on human error

Yahoo said it didn't suffer a new breach, but rather learned of 2 billion additional users having been affected in its 2013 incident. It's sent a notification to all its users, telling them that it had taken action in 2016 to protect all accounts, requiring password changes and blocking access from accounts with unencrypted security questions.

The information stolen in the massive breach did not include passwords in clear text, payment card data or bank account information. Yahoo is still working with law enforcement to determine who was behind the attack.

Yahoo also suffered a major cyberattack in 2014 in which information from 500 million user accounts was stolen.

Verizon was originally supposed to buy Yahoo for $4.83 billion, but cut the price by $350 million in February in the wake of the security scandal. Yahoo is still reportedly under investigation by the Securities and Exchange Commission for failing to alert users quickly enough.

It's unclear how much more Verizon would have cut the price if it had known of the 3 billion affected users. Verizon declined to comment beyond the press release.

"Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security," Verizon's chief information security officer, Chandra McMahon, said in a statement.

First published Oct. 3, 1:55 p.m. PT.
Updated, 2:35 p.m.: Adds details on Yahoo's hack.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.