"Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected," Yahoo disclosed Tuesday after the market closed.
"It is important to note that, in connection with Yahoo's December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts. The company required all users who had not changed their passwords since the time of the theft to do so," the statement read.
The company still hasn't said who is behind what it claims is a state-sponsored attack, nor which state may have sponsored the hackers.
Yahoo said that the hackers did not obtain plaintext passwords, credit card data, or bank account information.
But the hackers were able to develop a way of accessing accounts without a password by stealing Yahoo's source code, the company said in December.
"Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies," which can be used to store authentication credentials locally.
The company was bought by Verizon for $4.4 billion earlier this year after the price was written down following news of the cyberattacks. Yahoo is now folded into AOL under a new subsidiary, Oath.