It turns out every Yahoo account was hit by the data breach a few years ago

The company now says hackers hit all 3 billion accounts, not 1 billion

A 2013 security breach at Yahoo affected three times as many accounts as the company first thought, a new announcement says. 

Yahoo was acquired this summer by Verizon, which said Tuesday the data theft affected not just one billion accounts, as Yahoo reported last year, but "all three billion accounts." 

Verizon had investigators look back at the data breach as part of its integration with Yahoo. 

They say the hackers did not steal any bank account or payment card numbers. What they did steal were names, email addresses, telephone numbers, birth dates, hashed passwords, and security questions.

Last year Yahoo made the one billion account holders they knew were affected change their passwords and their security questions.

Now they'll send emails to another two billion people advising them to do that, too. 

Beware of phishing scams 

As Yahoo prepares to send out a couple billion emails, you can bet that scammers will be reaching out, too. 

On a web page answering FAQs about the security breach, Yahoo says its emails will not include any links or attachments. 

So if you get an email about your Yahoo account asking you to click on a link or open an attachment, you can be sure that's a phishing scam. 

Besides changing their passwords and security questions, Yahoo also suggests people consider using a two-step verification. That's where they send a code to your phone for you to enter before you can open your account. 

Yahoo now part of Oath

Verizon paid $4.5 billion for Yahoo, although the BBC says the purchase price came down a few hundred million after Yahoo discovered it had been hacked in 2013 and also 2014

Verizon is combining Yahoo and other brands including AOL into a new company called Oath. 

Even though Yahoo is getting absorbed, it's apparently still getting investigated, too. The Wall Street Journal reports the Securities and Exchange Commission is looking at why it took the company so long to report the data breaches and whether they broke any laws by delaying. 

Next Up