In a statement posted online today, Yahoo — now rebranded as Oath and part of Verizon — corrected the estimation on a security breach announced last year from the initial assessment of one billion to "all Yahoo user accounts."
Three months earlier, in September 2016, Yahoo admitted to another data breach that exposed the details of over 500 million users, which took place in 2014. The US Department of Justice and the FBI indicted four suspects — three Russian nationals and a Canadian — for that breach.
No details became public about the 2013 security incident, except the number of affected users and that hackers stole names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
Verizon was slated to buy Yahoo even before the first data breach announcement (2014 incident), and even agreed to buy the company following the second breach announcement (the 2013 incident), albeit it cut the purchase price from $4.83 billion by $350 million to $4.48 billion.
Yahoo said today that it only recently became aware of the scope of the breach, during the integration of Yahoo data inside Verizon's infrastructure.
Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.
Yahoo already notified all one billion users affected by the 2013 security breach. It promised today to notify the rest.
Following the two breaches, then Yahoo CEO Marissa Mayer said she'll forgo her annual bonus ($2 million) and equity grant ($14 million), which she'd redistribute to Yahoo employees instead.