That investigators did not discover the full extent of the 2013 incident before Verizon closed the deal to acquire Yahoo in June was surprising to outside cybersecurity analysts.
âFrankly, I donât know how Yahoo got away with this,â said Jay Kaplan, a former Defense Department cybersecurity expert and senior analyst at the National Security Agency who is now the chief executive of the cybersecurity company Synack.
After Yahoo discovered that one billion accounts were affected, it should not have been a stretch to consider that all of the companyâs user accounts had been compromised, he said. âMy guess is that Yahoo was completely âownedâ across the board,â Mr. Kaplan said.
Verizon said in a statement Tuesday that, with the assistance of outside forensic experts, it had determined that all Yahooâs user accounts were affected. The company said it would continue to work closely with law enforcement.
âOur investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizonâs experience and resources,â Chandra B. McMahon, Verizonâs chief information security officer, said in the statement. The company said it did not have more to add beyond an additional fact sheet for users.
Yahoo was hit with several shareholder lawsuits after the breaches became public, and the disclosure that data on all of its accounts was compromised could increase financial liabilities for Verizon.
No one knows exactly what happened to the data after it was stolen in 2013. But last August, a hacking collective based in Eastern Europe quietly began offering Yahooâs information for sale, according to intelligence gathered by InfoArmor, an Arizona cybersecurity company that monitors the darker corners of the web.
Since then, at least three buyers â two known âspammersâ and an entity that appeared more interested in using the stolen Yahoo data for espionage â paid about $300,000 each for a complete copy of Yahooâs stolen database, InfoArmor said after Yahoo first disclosed the breach.
Cybersecurity professionals warned that because many of the three billion Yahoo accounts belong to people who use the same passwords for different sites and services, there is likely to be an escalation of email fraud and account takeovers. They added that anyone who had used Yahoo should be diligent about monitoring their personal accounts.
With the stolen data, fraudsters have a higher chance of gaining access to the victimsâ bank accounts, said Frances Zelazny, the vice president of marketing at BioCatch, a security start-up. âMost people reuse passwords or make multiple versions of the same passwords that are easy to hack,â she said.
Yahoo maintains that the breaches in 2014 and 2013 are not related. But investigators believe the attackers behind the 2013 breach were Russian and possibly linked to the Russian government.
In March, the Department of Justice charged four men, including two Russian intelligence officers, with the 2014 breach. Investigators said the Russian government used stolen Yahoo data to spy on a range of targets in the United States, including White House and military officials, bank executives and even a gambling regulator in Nevada, according to an indictment.
The stolen data was also used to spy on Russian government officials and business executives, federal prosecutors said.
What made that theft particularly egregious, Justice Department officials said, was that the two intelligence officers who were indicted had worked for an arm of Russiaâs Federal Security Service, or F.S.B., that is charged with helping foreign intelligence agencies track cybercriminals.