Yahoo admits that all 3 billion user accounts were hacked in 2013

Original estimates put the number at 1 billion

The 2013 hack of Yahoo affected every single one of its three billion customers, three times the original one billion estimate given by the internet firm.

Parent company Oath, which was taken over by US telco giant Verizon, said that a new investigation had found that the extent of the problem was far deeper than the estimated one billion previously acknowledged publicly, following "assistance of outside forensic experts" and "new intelligence".

When the breach was uncovered in 2016, Yahoo took rear-guard action to protect accounts, including the deletion of unencrypted security questions, emails to all affected customers and making password changes obligatory.

Yahoo has emphasised that plaintext passwords, payment card data and back account information were not stolen.

"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, chief information security officer at Verizon.

"Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."

At the point of sale, the company valuation was $4.5bn - a huge drop in its original valuation caused as a direct result of the disclosure of two major hacks, the one in 2013, and a further breach of 500 million accounts a year later.

Yahoo has been behind the curve on security for some time, being one of the last webmail services to switch to an encrypted offering and as such, being hacked is a common complaint amongst users.

The company stressed that this is not a new security issue but rather a continuation of the existing one and that it is "continuing to work closely with law enforcement".

Security vendor Sophos advised all Yahoo users to change their passwords, if they have not already done so when news of the attacks first emerged.

"Yahoo says it's 'notifying potentially affected users by email'," it says in a blog.

"Don't wait for an email from Yahoo though, or a scammer pretending to be Yahoo, assume you're affected, don't click on anything in any purpled-branded emails, just go straight to yahoo.com and work your way to the right place."