The largest hack in history just became triple the trouble for Yahoo.
Yahoo revealed Tuesday that every single one of its 3 billion accounts got hacked in a 2013 breach. Late last year, it had said that the attack compromised 1 billion accounts — which already made it the largest data breach ever.
The new information stems from an investigation that followed Verizon’s takeover of Yahoo in June in a $4.48 billion deal.
To put things in perspective, 3 billion — every account ever registered on Yahoo — is greater than the number of every user on Facebook, Instagram and Twitter combined.
It’s a landmark development for an already historic breach, and it comes as people are still reeling from yet another supersized hack, an incident at credit-monitoring company Equifax. That one, revealed less than a month ago, affected 145 million Americans, or roughly half the US population, and last week cost Equifax’s CEO his job.
The Yahoo news came on the same day that members of Congress heard testimony from that ex-CEO, Richard Smith, and criticized Equifax for allowing the breach in the first place and for its handling of the matter since then.
Yahoo said it didn’t suffer a new breach, but rather learned of 2 billion additional users having been affected in its 2013 incident. It’s sent a notification to all its users, telling them that it had taken action in 2016 to protect all accounts, requiring password changes and blocking access from accounts with unencrypted security questions.
The information stolen in the massive breach did not include passwords in clear text, payment card data or bank account information. Yahoo is still working with law enforcement to determine who was behind the attack.
Yahoo also suffered a major cyberattack in 2014 in which information from 500 million user accounts was stolen.
Verizon was originally supposed to buy Yahoo for $4.83 billion, but cut the price by $350 million in February in the wake of the security scandal. Yahoo is still reportedly under investigation by the Securities and Exchange Commission for failing to alert users quickly enough.
It’s unclear how much more Verizon would have cut the price if it had known of the 3 billion affected users. Verizon declined to comment beyond the press release.