Yahoo learned that the already-vast breach had ballooned thanks to new intelligence "obtained" recently, after Verizon closed its deal to buy Yahoo. Verizon has folded together the tech giant and previously purchased AOL under the umbrella brand Oath.
Oath spokesman Charles Stewart did not elaborate on how the information was obtained, but said the new intelligence led to a new investigation by the company's security team, completed less than a week ago.
The security industry's favorite adage is that there are two types of companies: those that have been hacked and those that don't know they have been hacked. Among those that know, Yahoo stands out.
Over the course of 2016, Yahoo set and then beat its own record for the largest-ever disclosed data breach. Last September, Yahoo reported an incident affecting 500 million accounts that took place in 2014. Then, in December, came the disclosure of the 2013 hack, which was presented as "likely distinct."
The 2014 hack was believed to be state-sponsored and later led to a trial of a Canadian hacker and charges against Russian government agents — a relatively rare development for crimes of such caliber. But many questions remain about the 2013 hack and its perpetrators; in fact, the company has been unable to identify the intrusion.
An internal investigation by Yahoo's board in March found that the company's information security team, senior executives and some legal staff were aware of a state-sponsored hack in 2014, according to a regulatory filing, that adds:
"It appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team. ... However, the Independent Committee did not conclude that there was an intentional suppression of relevant information.
"Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it."
Yahoo's then-top lawyer resigned without severance pay as a result, and then-CEO Marissa Mayer lost her 2016 bonus. She later left the company as Yahoo was bought by Verizon.
Copyright 2017 NPR. To see more, visit http://www.npr.org/.