Bob Lord, Yahoo's chief information security officer, wrote in a post announcing the hack that, "we believe an unauthorized third party accessed our proprietary code to learn how to forge cookies". And Aarti, what happened?
Many Yahoo users may start cancelling accounts at this point.so.there are other options for Verizon.Verizon could benefit by buying multiple less trafficked websites that are more stable and have a growing following. Technically, those passwords should be secure; Yahoo said they were scrambled twice - once by encryption and once by another technique called hashing.
"The fact that a huge breach with personally identifiable data - including unencrypted security questions and answers - from one billion user accounts can go undiscovered for more than three years shows one thing; companies worldwide need to be reconsidering their security posture". We have also invalidated unencrypted security questions and answers so that they can not be used to access an account... And you know, Yahoo knows that. Spearfishing is like when, oh, an unknowing employee opens an email attachment that lets the cyber-robbers in. Whenever Yahoo announces its next data breach - and, let's be honest, it's going to happen again - you can bet it won't be news to Yahoo users. Considering this time affected user base is twice the size of the last breach, it's likely Verizon will ask for a further $2bn discount, putting the deal at just $1.8bn.
If Yahoo and Verizon can't agree on whether to end the deal or lower its price, there would be a court battle, said Craig Newman, a lawyer with Patterson Belknap who specializes in cybersecurity. What is Verizon saying about this?
In a statement, Verizon said that it will evaluate the situation as Yahoo investigates and will review the "new development before reaching any final conclusions". Earlier this year, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion - a deal that may now be jeopardized by the hacking revelations.
SIEGEL: And what are Yahoo customers supposed to do about this?
Yahoo, however, didn't comment on the company's finding, making it unclear if the data was legitimate. The standard procedure is to offer victims free credit monitoring for a year and change. For those of us that still use Yahoo services for any reason - I use it strictly for account sign-ups that I don't give a damn about - knowing that Yahoo suffered another massive breach didn't take any detective work; we simply had to look at our email. Even though it's bad for security, people can not resist using the same password across multiple online services.
Some of the individuals who have had information stolen as part of the hack include Federal Bureau of Investigation agents, members of Congress, current and former diplomats, and other intelligence community and military officials. "Prompt notification enables users to potentially limit the harm of a breach of this kind, particularly when it may have exposed authentication information such as security question answers they may have used on other sites".
SIEGEL: OK, that's NPR's Aarti Shahani.