Hackers Steal More Account Information From Yahoo Users

Dec 15, 2016
Originally published on December 15, 2016 7:54 am
Copyright 2016 NPR. To see more, visit http://www.npr.org/.

STEVE INSKEEP, HOST:

The number at the center of this story is stunning. Yahoo says that data was stolen from more than 1 billion customer accounts. Yahoo made a similar announcement that about half a billion accounts had been hacked back in September. To try to make sense of what we know now, NPR's Aarti Shahani is on the line. Hi, Aarti.

AARTI SHAHANI, BYLINE: Hi.

INSKEEP: What happened?

SHAHANI: According to a post on Yahoo's Tumblr page by the company's chief security officer, it was law enforcement who came to Yahoo and said, hey, we've got a bunch of stolen data on our hands, and we think it's yours. Yahoo took a look, had some outside forensics experts take a look, and, yeah, it's a bunch of Yahoo accounts. And by a bunch, Steve, I mean more than a billion, as you said. Interestingly, hackers did not get it in the way we're used to hearing about. It wasn't a spearfishing attack where some unknowing employee opens an attachment and, bam, the thieves are inside the servers.

In this case, hackers managed to access proprietary code, what's supposed to be the company's super secret code, and then figured a way to break in. Yahoo claims it's state-sponsored actors, that a foreign government is behind it. But the company's given zero proof of that. And it looks like the hack happened back in August of 2013.

INSKEEP: A couple of quick questions here. They said earlier there'd been half a billion accounts hacked. Is this an additional 1 billion, so 1.5 billion in all?

SHAHANI: Well, from the statement today and from the calls we've had with them, it seems to be a separate hack not related to the half billion already reported. And so, yeah, I mean, we're talking about a fresh batch.

INSKEEP: Of what kind of information about people?

SHAHANI: So the data that was taken includes names, email addresses, telephone numbers, dates of birth, encrypted passwords and in some cases encrypted or unencrypted security questions and answers. Yahoo says what was not taken was bank account or credit card information. That data's stored separately.

INSKEEP: Oh, OK. Should people be relieved then?

SHAHANI: Well, I mean, sure, it's relieving, but at the same time, you know, what's a well-known fact about hacks in the cybersecurity world is that these user credentials that are stolen from one site can be used to break into another site, you know, and it makes sense. So people recycle their emails and passwords all over the place. And with security questions, you know, for example, when your bank asks you what's your mom's maiden name, well, she's only got one. And so you're going to use it at Yahoo Mail and at Citibank, right?

Yahoo's reaching out to customers impacted by this hack and actually forcing them to change their passwords this time around. In the hack announced in September, they didn't do that. They just recommended a password change.

INSKEEP: Can I just mention - I know Yahoo is a big company but not the biggest company. In fact, it gets in the news often for being a little bit troubled. Should we be surprised that they have information on more than a billion people apparently?

SHAHANI: Well, I mean, that's the funny thing about it is Yahoo announced earlier this year, you know, when it was in talks about being purchased by Verizon - talks that are still going on - Yahoo announced that it has a billion active users every month. So, I mean, it's still a force out there. People are still using their Yahoo Mail. I think what we should be surprised about is how sloppy their security has been and how, you know, up until now, they keep saying, oh, whoops, we got hacked. And not just hacked, like mega hacked. It shouldn't be such a surprise for them recurringly (ph).

INSKEEP: Well, what does it mean for this buyout that you just mentioned?

SHAHANI: Well, you know, Verizon is thinking about buying Yahoo. And what Verizon told us in the statement is that they're evaluating this newest breach and its impact before reaching any final conclusions. You know, my guess is that there's no way Verizon's going to buy Yahoo for $4.8 billion, if they buy Yahoo at all. It'll be for a smaller figure.

INSKEEP: Aarti, thanks very much.

SHAHANI: Thank you.

INSKEEP: That's NPR's Aarti Shahani. Transcript provided by NPR, Copyright NPR.