Verizon completed its acquisition of Yahoo! in June this year.
Yahoo! had said in December last year that a billion accounts were compromised in this particular breach, one of three that it disclosed in 2016 and 2017.
In a filing with the Securities and Exchange Commission on Tuesday, Verizon said: "Subsequent to Yahoo!’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft."
The company said that while this was not a new security issue, Yahoo! was sending email notifications to the additional affected user accounts.
"The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement," it said.
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats,” said Chandra McMahon, chief information security officer.
"Our investment in Yahoo! is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources."
Update, 5 October: David Kennerley, director of threat research at security firm Webroot, said it was incredible that three billion accounts were affected, but probably not a real surprise.
"The hackers had pretty much free reign over Yahoo! systems for a good while – with the breach only being initially disclosed by the company in late 2016," he said.
Kennerley said the stolen data was a potent package for identify theft. "The fact that the accounts were compromised for so long means that most of the damage would have already been done before the breach was even discovered. I’d hope that the disclosure in 2016 led people to change their passwords, if that’s not the case – act now!"
He said there were wider ramifications to the disclosure. "The reality of the news, coupled with the ongoing security failings at Equifax and many others, means we now without doubt have to accept that a good number of once trusted companies cannot keep our private data secure.
"It’s now essential that consumers become more proactive and improve their own security hygiene. A few examples include, using different passwords for each online profile, always checking the authenticity of any emails received, keeping an eye on all online accounts for suspicious activity and, as importantly, keeping up-to-date on the latest breach disclosures – it’s not if, it’s when!"