Last year Yahoo (now part of Oath along with AOL after its acquisition by Verizon) announced that back in 2013, hackers had stolen info covering over one billion of its accounts. Today, the combined company announced that further investigation reveals the 2013 hack affected all of its accounts that existed at the time -- about three billion. The information taken "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers."
For users being notified of the hack now, the notification is that their information is included. At the time the breach was first announced, Yahoo required everyone who had not reset their passwords since the breach to do so. According to the FAQ posted, it doesn't appear there's any new action being taken.
The announcement isn't very specific about why or how it determined the breach was so much larger -- or how it was missed in the original forensic analysis, or how this happened in the first place -- likely due to pending lawsuits over the issue. This section of the statement is all it would say:
Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.
We should note, this is still separate from a 2014 hack that affected some 500 million accounts.