For users being notified of the hack now, the notification is that their information is included. At the time the breach was first announced, Yahoo required everyone who had not reset their passwords since the breach to do so. According to the FAQ posted, it doesn't appear there's any new action being taken.

The announcement isn't very specific about why or how it determined the breach was so much larger -- or how it was missed in the original forensic analysis, or how this happened in the first place -- likely due to pending lawsuits over the issue. This section of the statement is all it would say:

Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

We should note, this is still separate from a 2014 hack that affected some 500 million accounts.