ROBERT SIEGEL, HOST:
Yahoo has announced yet again that customers were hacked. This time the company estimates that more than 1 billion user accounts had data stolen. This is the second time this year that Yahoo is disclosing a mega breach. And here to discuss it is NPR's Aarti Shahani. And Aarti, what happened?
AARTI SHAHANI, BYLINE: The company's chief security officer put out a statement on Yahoo's Tumblr page saying basically, hey, so I know this happened before, and it happened again. Back in September, it was a half billion accounts. Now in a separate hack, it looks like there was more than 1 billion user accounts affected.
The data includes names, email addresses, telephone numbers, dates of birth, encrypted passwords and in some cases encrypted or unencrypted security questions and answers, as in the question to use in everything you're protecting online, like, what's your mother's maiden name, your first dog, your childhood best friend?
Yahoo said the attack likely happened in the summer of 2013. The company is saying no financial information was taken. But that data theft can still have a financial impact, right? If hackers get all that info from your Yahoo email, they can use it to break into other accounts. That's how the crime works. And you know, Yahoo knows that.
SIEGEL: Has Yahoo described how this break happened?
SHAHANI: There are two details here that caught my eye. One, Yahoo says that an unauthorized third party - and outside party - accessed their proprietary code to learn how to forge cookies. Now, when you forge cookies, that can let an intruder unlock a user account without a password.
This is interesting because it wasn't what we usually hear about, which is spearfishing. Spearfishing is like when, oh, an unknowing employee opens an email attachment that lets the cyber-robbers in. In this case, the hackers got what's supposed to be Yahoo's super-secret code.
Secondly, Yahoo said it looks like this hack could have been sponsored by a nation state. They made the exact same claim last time. And like last time, they provided no evidence. They didn't say, hey, this code we saw resembles this other known attack or hackers let some foreign language slip into the digital trail. They didn't give any of that.
SIEGEL: Yahoo is supposed to be purchased by Verizon. What is Verizon saying about this?
SHAHANI: So Verizon is saying, hey, like we've said all along, we will evaluate the situation while Yahoo continues its investigation. And Verizon will review the impact of this breach before reaching any final conclusions. My little prediction, for what it's worth, is that if Verizon goes ahead and buys Yahoo, it'll be for a lot less than the initial $4.8 billion offer that was on the table.
SIEGEL: And what are Yahoo customers supposed to do about this?
SHAHANI: (Laughter) Well, Yahoo says it is reaching out to affected customers to let them know. The standard procedure is to offer victims free credit monitoring for a year and change. So that's something people may want to use. Customers may also want to reconsider changing the security questions that they use in their other accounts to not reflect what they were using in Yahoo.
SIEGEL: Aarti, when Yahoo talks about a billion user accounts, is that the total number of Yahoo user accounts?
SHAHANI: Yahoo claims to have a billion monthly active users - and so that would mean that a billion people actively using Yahoo and then, you know, many others - an untold number of others - who are not actively using it.
So we don't know in this breach if the billion in question are mostly current, active users whose accounts were breached or people that were no longer really turning to Yahoo, maybe went to Gmail instead.
SIEGEL: OK, that's NPR's Aarti Shahani. Aarti, thanks.
SHAHANI: Thank you. Transcript provided by NPR, Copyright NPR.