Yahoo Inc. may have under-reported the number of users hacked in its now infamous 2014 data breach, according to a report Monday.

Business Insider quotes “a former Yahoo executive familiar with its security practices” as saying that, given the way Yahoo’s data is organized, it’s more likely that the number of accounts stolen could be anywhere between 1 billion and 3 billion, making it the largest hack of all time.

“I believe it to be bigger than what’s being reported,” the former executive said. “How they came up with 500 [million] is a mystery.”

The executive went on to claim that all of Yahoo’s products use one main user database to authenticate users, so anyone who logs into any individual Yahoo product has their details stored in the one central place.

Yahoo first officially disclosed it had been hacked in September after it was reported earlier in August that Yahoo account details were being offered for sale on the dark web. At the time, Yahoo said the accounts of “at least” 500 million users had been compromised.

Not state sponsored

One of Yahoo’s other claims is that the hack was “state-sponsored.” That claim has been disputed by security firm Infoamor who traced the hack back to an Eastern European crime syndicate.

“Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations,” the report notes. “The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur.”

Whoever did the hack or how big it may actually be besides the point given the damage it has done not only to Yahoo’s already tarnished reputation but to the potentially billions of people who have ever had a Yahoo account and password.

Image credit: Magnus Höij/Wikimedia Commons/CC by 2.0