It was the biggest known breach of a company’s computer network. And now, it is even bigger.
Verizon Communications, which acquired Yahoo this year, said on Tuesday that a previously disclosed attack that had occurred in 2013 affected all three billion of Yahoo’s user accounts.
Last year, Yahoo said the 2013 attack on its network had affected one billion accounts. Three months before that, the company also disclosed a separate attack, which had occurred in 2014, that had affected 500 million accounts.
Digital thieves made off with names, birth dates, phone numbers and passwords of users that were encrypted with security that was easy to crack.
The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world.
Yahoo sold itself to Verizon for $4.48 billion in June. But the deal was nearly derailed by the disclosure of the breaches and $350 million was cut from Verizon’s original offer. Yahoo was combined with AOL, another faded web pioneer that Verizon bought in 2015, into a new division of the telecommunications company called Oath.
That investigators did not discover the full extent of the 2013 incident before Verizon closed the deal to acquire Yahoo in June was surprising to outside cybersecurity analysts.
“Frankly, I don’t know how Yahoo got away with this,” said Jay Kaplan, a former Defense Department cybersecurity expert and senior analyst at the National Security Agency who is now the chief executive of the cybersecurity company Synack.
After Yahoo discovered that one billion accounts were affected, it should not have been a stretch to consider that all of the company’s user accounts had been compromised, he said. “My guess is that Yahoo was completely ‘owned’ across the board,” Mr. Kaplan said.
The Bits newsletter will keep you updated on the latest from Silicon Valley and the technology industry.
You agree to receive occasional updates and special offers for The New York Times's products and services.
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources,” Chandra B. McMahon, Verizon’s chief information security officer, said in the statement. The company said it did not have more to add beyond an additional fact sheet for users.
Yahoo was hit with several shareholder lawsuits after the breaches became public, and the disclosure that data on all of its accounts was compromised could increase financial liabilities for Verizon.
No one knows exactly what happened to the data after it was stolen in 2013. But last August, a hacking collective based in Eastern Europe quietly began offering Yahoo’s information for sale, according to intelligence gathered by InfoArmor, an Arizona cybersecurity company that monitors the darker corners of the web.
Since then, at least three buyers — two known “spammers” and an entity that appeared more interested in using the stolen Yahoo data for espionage — paid about $300,000 each for a complete copy of Yahoo’s stolen database, InfoArmor said after Yahoo first disclosed the breach.
Cybersecurity professionals warned that because many of the three billion Yahoo accounts belong to people who use the same passwords for different sites and services, there is likely to be an escalation of email fraud and account takeovers. They added that anyone who had used Yahoo should be diligent about monitoring their personal accounts.
With the stolen data, fraudsters have a higher chance of gaining access to the victims’ bank accounts, said Frances Zelazny, the vice president of marketing at BioCatch, a security start-up. “Most people reuse passwords or make multiple versions of the same passwords that are easy to hack,” she said.
Yahoo maintains that the breaches in 2014 and 2013 are not related. But investigators believe the attackers behind the 2013 breach were Russian and possibly linked to the Russian government.
In March, the Department of Justice charged four men, including two Russian intelligence officers, with the 2014 breach. Investigators said the Russian government used stolen Yahoo data to spy on a range of targets in the United States, including White House and military officials, bank executives and even a gambling regulator in Nevada, according to an indictment.
The stolen data was also used to spy on Russian government officials and business executives, federal prosecutors said.
What made that theft particularly egregious, Justice Department officials said, was that the two intelligence officers who were indicted had worked for an arm of Russia’s Federal Security Service, or F.S.B., that is charged with helping foreign intelligence agencies track cybercriminals.