The 2013 hack of Yahoo was much worse than originally feared, according to new parent company Verizon, which reported the total number of user accounts affected by the breach as more than three billion.

The new estimate released in the Wall Street Journal Tuesday triples the original report of one billion accounts that Yahoo originally believed to be compromised by the hack when the incident was first disclosed in December 2016.

Verizon’s findings regarding the security breach comes four months after the telecommunications giant acquired Yahoo. When Verizon purchased the beleaguered tech firm for $4.8 billion earlier this year, it received a $350 million discount off the acquisition to cover any potential expenses associated with the fallout of the breach.

The discovery of the expanded breach was made last week, according to a spokesperson from Oath — the umbrella company that houses Verizon properties including Yahoo, HuffPost, Engadget, TechCrunch, Moviefone and about 50 other brands. Information provided from outside the company helped Oath determine the severity of the breach, but Oath did not disclose the source of the information.

The two billion additional consumers affected by the breach had their usernames and passwords compromised. In some cases, telephone numbers and dates of birth were also exposed to the hackers.

The information regarding the scope of those affected is just the latest in what has been a rapidly evolving saga surrounding the breach, which was revealed not long after a 2014 breach that compromised more than 500 million accounts was disclosed.

The 2014 Yahoo hack has produced a considerable amount of intrigue, as the attack appeared to be the result of efforts by state-sponsored hackers in Russia. Earlier this year, the United States Department of Justice announced four indictments of Russian hackers and agents in the FSB, the country’s national intelligence agency.

It is still unclear if the 2013 hack was in any way related to the 2014 breach carried out by Russian hackers. Information about how the hack was carried out and who was behind it have remained a mystery, though the information has been made available on the dark web.

Speaking at the Structure Security event in San Francisco earlier this month, former Yahoo chief information security officer Bob Lord said he did everything he could to prepare the company for a breach but said "no one really expects the Spanish inquisition.”

According to Lord, at his first meetings with the board of Yahoo, he told the executives one thing: “We are up against dedicated human adversaries who organize their work in campaigns,” a point he used to try to illustrate the attacker lifecycle, which he believed was vital to understanding how threat actors behave.

Lord said Yahoo’s executives were open to his approach and interested in involvement from the security side of the conversations, but suffered from the same problem that many companies do: while they know they should listen to their security team, they often don’t in practice.

"When you start to peel back the onion, most organizations don't actually act that way,” Lord said. “Most boards don't work with their CiSOs in ways that are truly informed by that philosophy.”

Lord said the real challenge with protecting against breaches is that “security is not a technology problem...it’s a people and process problem."

RELATED STORIES
Security Software Yahoo Security