We previously heard that the 2013 Yahoo security breach had affected around 1 billion accounts. Now it would appear that the breach was much worse than previously thought and around 3 billion Yahoo accounts were affected in the breach.
Yahoo originally announced the 2013 data breach back in December of last year, there is now more information about the breach. Since Verizon has taken over Yahoo, the company looked into the data breach again and it looks like it affected around 3 billion Yahoo accounts not just 1 billion accounts.
Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.
It is important to note that, in connection with Yahoo’s December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account.
So basically it looks like all of the Yahoo accounts were affected. If you have a Yahoo account and have not already changed your password, then you will now need to change it.
Source Yahoo