Yahoo was slightly off when the company revealed the hack of one billion accounts in August 2013. Turns out all three billion accounts were breached — three times the initial count — more than the number of people living in China, India and the United States, combined.
Yahoo, now owned by Verizon subsidiary Oath, admitted as such in a statement this week. While it took the company 16 months to go public with the original hack — notifying account holders in December 2014 — Oath says its now sending emails out to all users. (This is in addition to a separate hack in 2014 of 500 million accounts, that the company only disclosed in 2016.)
What was taken? Names, email addresses, phone numbers, birth dates, security questions and answers — the same information as Yahoo admitted as before, just now for all their accounts. But bank account information, payment card data and password information "in clear text" were not included. The phrase "clear text" is telling as it implies that the password fields were breached. But Yahoo has repeatedly said it used something calls "hash passwords," a way to encrypt passwords into random characters so they can't be deciphered.
Does this mean you're safe even if you had a Yahoo account? Perhaps. But if you're someone who likes to re-use their passwords over and over again, and have used the password for your Yahoo account somewhere else online — change those immediately. (That's something even Yahoo says to do.) Then: Don't do that again. (Really, just don't.)
As for credit card, bank account or other payment details: Keep watch over balances and statements. That's good financial practice anyway, but again — something Yahoo is encouraging its users to do.
Verizon bought Yahoo in a $4.5 billion deal, which closed in June, folding the Yahoo properties into AOL and giving the new company the name Oath. Then-Yahoo CEO Marissa Mayer, who oversaw Yahoo during the 2013 hack, resigned.