Yahoo says every account — all 3 billion of them — was affected by 2013 breach

Three billion Yahoo accounts were affected by a massive data breach — three times as many as initially reported. (Oct. 4, 2017)

All 3 billion Yahoo accounts that existed in August 2013 were affected by a massive data breach, three times as many accounts as the company first reported.

In December, Yahoo disclosed that hackers stole information that could be connected to more than 1 billion accounts in a breach then believed to affect the largest number of users ever.

The company updated its tally Tuesday, saying on its website that outside forensic experts analyzed “recently obtained additional information” that shows “all accounts that existed at the time of the August 2013 theft were likely affected.”

The stolen data could include names, email addresses, phone numbers, dates of birth, passwords that have been scrambled, or “hashed,” and encrypted or unencrypted security questions or answers, the company said.

Hackers did not obtain “passwords in clear text, payment card data, or bank account information,” according to the company.


The breach was first made public as Yahoo prepared for its sale to the telecommunications giant Verizon. News of the hack, and a separate 2014 breach, resulted in Yahoo taking a $350-million price cut in its eventual $4.5-billion sale.

Verizon plans to integrate Yahoo’s core business — including its email service, advertising tools and news, and sports websites — with AOL, a onetime competitor to Yahoo that the telecom acquired for $4.4 billion in 2015. The combined business unit is called Oath.

As part of its December announcement, Yahoo says it required all users who had not changed their passwords since 2013 to do so, and disabled unencrypted security questions and answers.


4:10 p.m.: This article was updated to include details about Yahoo’s response to the attack.

3:10 p.m.: This article was updated to include more information about Yahoo’s ownership.

2:25 p.m.: This article was updated to include more information about the breach.

This article was originally published at 2:05 p.m.