A 2013 breach of Yahoo!'s network affected all three billion of the company's accounts, Verizon Communications, which acquired Yahoo post-breach for $4.48 billion, said Tuesday.
Yahoo previously said the breach, which was disclosed in December 2016, affected one billion accounts.
"Back when the breach was first disclosed, we noted that many large enterprises lack the necessary controls to limit unauthorized access. While this remains the case, a breach where virtually all Yahoo users are affected is unprecedented," said Bitglass CEO Rich Campagna. "It's difficult to imagine any circumstance in which an organization committed to security could have all network segmentation, policies, and security measures bypassed completely. Even over a prolonged period of time, it is exceedingly difficult to exfiltrate 3 billion records without setting off a single actionable alarm."
Calling the incident "an epic failure," Carl Wright, CRO at AttackIQ, called for companies to "seriously, find protection failures before the adversary does."
Consumers worldwide as well as shareholders "deserve better," he said. "It is one thing to deploy security controls, it is completely another thing to know that they are working correctly."
The additional two billion accounts are being notified and Verizon is directing users to a site set up after the breach was disclosed.
"Yahoo is providing notice to additional user accounts affected by an August 2013 theft of user data previously announced by the company in December 2016," Yahoo stressed in a post on the site. "This is not a new security issue. In 2016, Yahoo previously took action to protect all user accounts."
Yahoo has already felt the impact of the breach. "When the deal between Verizon and Yahoo was initially announced, we saw the direct impact that the breach had on the price of the acquisition," said Campagna. "This goes to show that a seemingly small gap in security can be devastating and have prolonged implications for any business."
A judge recently ruled that Yahoo will have to face the music in court for a series of data breaches.