It seems like underestimating the scope of a data breach is a trend. Shortly after Equifax revealed that its own hack compromised the data of 145.5 million people, not 143 million, Yahoo announced that a 2013 breach originally believed to have affected 1 billion people actually impacted 3 billion.
Yahoo disclosed the massive hack in December 2016. In the time since, the company has been acquired by Verizon and made part of the Oath brand, which includes a variety of media properties. The breach's actual effects were discovered by Oath, which said it "recently obtained new intelligence" and spoke with outside experts who have led it to believe "that all Yahoo user accounts were affected by the August 2013 theft."
So if you had a Yahoo account in 2013, well, your personal information was stolen. The good news is that Yahoo / Oath / Verizon said "the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information." The bad news is that your name, email address, date of birth, and potentially unencrypted security questions, as well as hashed passwords, were likely compromised.
If you weren't told your account was compromised back in December 2016, you'll soon receive an email informing you of the hack. You'll probably also have to reset your password and change unencrypted security questions; that's what Yahoo required of the people it notified last year. (And by "the breach" we mean the one from December thought to have affected 1 billion people, not the one from September that targeted 500 million.)
Here's what Verizon said about how it plans to handle security in the future:
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, Chief Information Security Officer, Verizon. "Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
The question is how the number of people believed to have been affected by this breach rose from 1 billion to 3 billion. You can't just dig through the couch cushions and find 2 billion people you forgot about. It seems that the attack may have been more sophisticated than originally thought, or Yahoo wasn't as thorough as it led its users to believe, or the company downplayed the breach's impact so it could sell to Verizon instead of remaining independent.
Yahoo updated an FAQ about the 2013 breach with more information about its latest findings; you can learn more about the hack's scope there.