Yahoo Confirms Massive Data Breach By 'State-Sponsored Actor'
ROBERT SIEGEL, HOST:
Now we turn to one of the biggest hacks ever disclosed. Today, Yahoo confirmed to users that at least 500 million accounts were stolen. And the company says the attack was state-sponsored. NPR tech reporter Aarti Shahani joins us now. And first, Aarti, tell us about the attack. When did it happen, and what exactly was taken?
AARTI SHAHANI, BYLINE: Well, a whole lot was taken. And apparently it happened back in 2014. Hackers broke into Yahoo's servers and got users' names, phone numbers, dates of birth and passwords. What was not taken, according to Yahoo, was financial information. The company says hackers didn't take credit card and bank account numbers. So those are probably stored in a different place, kind of like putting the jewels in the bedroom instead of the living room.
Yahoo says it's securing accounts now and is asking users to change their passwords if they haven't done so since 2014, although, you know, many security experts say you should change your password a lot more than that, say, every three months. And like internet companies like Yahoo don't require it, they could, although it might be seen as annoying.
SIEGEL: Aarti, if this happened in 2014, why is Yahoo just notifying users now?
SHAHANI: That is a fabulous question. It could be that Yahoo didn't discover the breach immediately. You know, sometimes there is a delay. But NPR asked, and they did not tell us when exactly they found out.
SIEGEL: Why does Yahoo say that a foreign government was behind this hack?
SHAHANI: Well, it's interesting how Yahoo framed it in its letter to users because they basically said, hey, these attacks, backed by an enemy state, are happening to lots of tech companies, not just us, you know, which is fair enough. But Yahoo doesn't say which government or provide even high-level details about the code used to break in, you know, what the native language of the hacker may be or where the code has been seen before.
Experts I spoke with say Yahoo could be playing a game, right? Like - oh, it was a state-sponsored attack, not our fault. And if it was state-sponsored, then you should stop and ask yourself about motive. Were they after a high-value target or a politician or a CEO, right? So the plot will thicken.
SIEGEL: Yahoo is working out a deal these days to be purchased by Verizon for nearly $5 billion. Could news of this hack affect that deal?
SHAHANI: Well, the short answer is we don't know, and that's because Verizon had no idea at all. The company's saying that they just found out in the last two days. And in a statement, they do not sound happy about it. They say they have, quote, "limited information and they'll have to evaluate through a lens of Verizon's interests."
It could be, by the way, that Yahoo was forced to tell Verizon now because the tech outlet Recode was reporting the story. The reason it matters is once Yahoo is breached, this data, which is its main asset, could be seen as a liability, right? Say users want to file a lawsuit and claim that Yahoo was negligent. Well, then that could become Verizon's responsibility legally - a big headache for them. So it is definitely a bad timing for Yahoo.
SIEGEL: That's NPR's tech reporter Aarti Shahani. Aarti, thanks.
SHAHANI: Thank you.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.