Yahoo discovered a data breach in August 2013 affected 2 billion more user accounts than originally announced while completing integration work with new parent Verizon.
The web company reported in December 2016 some 1 billion user accounts were compromised in a hack attack, but announced all 3 billion of its customers’ accounts were hit in a statement issued on 3 October.
Yahoo stated: “while this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts”.
The account information stolen did not include “passwords in clear text, payment card data, or bank account information” and the company is “continuing to work closely with law enforcement.”
Chandra McMahon, chief information security officer at Verizon, said the company “is committed to the highest standards of accountability and transparency,” and is working to “ensure the safety and security of our users and networks in an evolving landscape of online threats.”
“Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources,” she added.
Followng this, the US Senate Committee on Commerce, Science, and Transportation said it will ask Yahoo to testify about the breaches, to see “whether new information has revealed steps they should have taken earlier, and whether there is potentially more bad news to come.”
The Commerce Committee has jurisdiction over consumer protection and cybersecurity. The date and witness list for the upcoming hearing will be announced later this month.
Verizon completed a $4.48 billion acquisition of Yahoo’s operating business and combined the assets with its AOL arm to launch Oath, its new subsidiary, in June.
The deal hit several setbacks before being finalised, following revelations Yahoo suffered two major data hacks in 2013 and 2014. The news led to Verizon negotiating a $350 million discount on the original $4.83 billion price agreed.
Avivah Litan, an analyst at research company Gartner, told The Wall Street Journal (WSJ) it was surprising Yahoo didn’t figure out the extent of the breach in its 2016 investigation.
“Usually an audit trail will tell you what records and what databases were accessed,” she said.
The WSJ reported the new disclosure will not affect the terms of Verizon’s acquisition.