The disclosure from Verizon, which bought Yahoo's online assets earlier this year, has tripled the number of users originally reported to have been affected. That means the data breach affected all Yahoo users.
A cyberattack in 2013 compromised data of all 3 billion Yahoo users, the internet company's parent said on Tuesday.
The new announcement revised sharply upward the initial estimate that 1 billion accounts were affected in the massive data breach.
Verizon said it obtained "new intelligence" following a probe conducted with the help of outside forensic experts into the cyberattack that resulted in the largest known data breach in history.
"The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information," Verizon's internet unit Oath said in a statement.
Yahoo is sending email notifications to the additional affected user accounts, Oath added.
The new disclosure sharply increased the legal exposure of Yahoo's new owner, Verizon, Reuters news agency reported citing attorneys.
The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, the attorneys told Reuters.
History of hacks
Yahoo first disclosed the cyber attack in December 2016, when it was in the process of being acquired by Verizon. It said the data stolen may have included names, email addresses, telephone numbers, date of birth and security questions and answers.
Yahoo was hit by another cyber attack in 2014 when hackers stole personal data from more than 500 million of its user accounts.
The data breach revelations allowed Verizon to renegotiate Yahoo's price tag.
Senator John Thune, chairman of the US Senate Commerce Committee, on Tuesday said he plans to hold a hearing later this month over massive data breaches at credit agency Equifax and Yahoo, which is already under a US Securities and Exchange Commission investigation over the hacks.
Equifax disclosed last month that cybercriminals had hacked its systems and accessed sensitive information, including in some cases credit card and social security numbers, belonging to 145 million Americans.
ap/sms (Reuters, AFP, AP)