The hack of Yahoo in 2013 didn't compromise one billion accounts, as the company claimed last year - but three billion accounts.
Now owned by Verizon telco in a subsidiary called Oath, for some reason, it said that a new investigation had found that the extent of the problem was far deeper than the estimated one billion previously acknowledged publicly, following "assistance of outside forensic experts" and "new intelligence".
The discovery will enable Oath to extract a refund from continuity Yahoo - now an investment company holding some of the firm's better investments from its time as an independent dot-com - under the terms of the Yahoo asset acquisition agreement, concluded last year.
When the breach was publicised in 2016, Yahoo belatedly took rearguard action to protect accounts, including the deletion of unencrypted security questions, emails to all affected customers and making password changes obligatory.
Yahoo has emphasised that plaintext passwords, payment card data and back account information were not stolen.
"Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats," said Chandra McMahon, chief information security officer at Verizon.
"Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon's experience and resources."
At the point of sale, the company valuation was $4.5bn - a huge drop in its original valuation caused as a direct result of the disclosure of two major hacks, the one in 2013, and a further breach of 500 million accounts a year later.
Yahoo has been behind the curve on security for some time, being one of the last webmail services to switch to an encrypted offering, which the Edward Snowden disclosures indicate was regularly exploited by intelligence services.
The company was keen to stress that this is not a new security issue, but rather a continuation of the existing one and that it is "continuing to work closely with law enforcement".
Security vendor Sophos advised all Yahoo users to change their passwords again, if they have not already done so when news of the attacks first emerged.
"Yahoo says it's 'notifying potentially affected users by email'," it says in a blog.
"Don't wait for an email from Yahoo though, or a scammer pretending to be Yahoo, assume you're affected, don't click on anything in any purpled-branded emails, just go straight to yahoo.com and work your way to the right place."
A majority of the three billion accounts affected, though, will no doubt be little used or once used email accounts.
While those accounts will be valueless, people's propensity to re-use passwords could leave some users open to compromise in other accounts elsewhere.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all