.Yahoo’s Security Breach History
Yahoo was once one of the greatest search engines and email service providers to the world around us. Except, that is not the only thing Yahoo is known for. Yahoo is also known as the company who has experienced one of the largest security breaches not only once but twice. These security breaches were experienced in back to back years the first occurring in 2013 and the second in 2014. However, the discovery of these incidents were first discovered in 2016 with the 2014 security breach known first in September. A lot more information is known about the 2014 breach, whereas the 2013 breach was discovered 4 months later in December. There were 500 million accounts hacked in the 2014 breach, whereas the earlier breach that occurred in 2013 ultimately had 3 billion accounts hacked affecting every single one of the active accounts Yahoo had at the time. It was originally known that 1 million accounts were hacked in 2013 and it wasn’t until after Yahoo’s acquisition with Verizon that they recovered that it was triple the amount with 3 billion accounts compromised. It is still currently unknown what exactly happened with the hackings of 2013, thus I will carry forward with explaining the 2014 breach.
Yahoo’s 2014 breach was enacted by 4 men, two of which were Russian. Yahoo did not notice that it had been compromised in 2014 until third-party evidence of the hack was presented to the company by law enforcement in 2016. Yahoo then began working with the Department of Justice and the FBI, and the agencies concluded that in 2014 the company was a victim of a massive Russian state-sponsored attack. The Department of Justice did end up charging Russian officials for a “state sponsored” crime, and there were more lawsuits involved and approved by the US District Judge in San Jose, California.
So how did the Russians actually pull this off? It started with phishing emails. There weren’t any employees in particular that were targeted, however all it took was one click of the link they included in the email and the Russians had their way in. Aleksey Belan, a hacker hired by the Russian agents, did the initial snooping around to find what he needed. Aleksey ultimately needed two things which was the account management tool and Yahoo's user database The account management tool is what was used to edit Yahoo’s database. Once he found them, in order to ensure access to it in the future he installed a backdoor on a Yahoo server that would allow him further access. In December, Aleksey stole a backup copy of Yahoo's user database and transferred the copy to his own computer.
The database contained phone numbers, names, password questions and answers and, password recovery emails. There was also a cryptographic value unique to each user account. Truthfully, it was the password recovery emails and the unique cryptographic value that allowed the hackers to target and access the accounts of certain users requested by the Russians. The two men they were targeting were named Igor Sushchin and Dmitry Dokuchaev. Except, the hackers were not only using this data to spy on Russian political officials but the Russian government used stolen Yahoo data to also spy on a range of targets in the United States, including White House and military officials, and bank executives. Since the account management tool didn't allow for simple text searches of names, the hackers instead started to use the recovery email addresses. Sometimes they were able to identify targets based on their recovery email address, and sometimes the email domain tipped them off that the account holder worked at a company or organization of interest.
Once the targeted accounts had been identified, the hackers used stolen cryptographic values to generate access cookies through a script that had been installed on a Yahoo server. Those cookies gave the hackers free access to any user email account without the need of a password. Interesting enough, the hackers were efficient with how they stored these cookies because out of the 500 million accounts they had access to, the hackers only generated cookies for about 6,500 accounts.
Due to the damage these breaches had, the acquisition between Yahoo and Verizon ended up dropping $350 million from Verizon’s original offer. In 2016, Yahoo took immediate action to protect all accounts. This included notifying impacted users identified, requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account. Yahoo also notified users via a notice on its website. Verizon’s investment in Yahoo was a goal to continue to take significant steps to enhance their security.
Overall, a great lesson to be learned from this security breach is to properly educate employees on the signs of phishing. This incident was all due to one mistaken click, and who knows maybe the Russian’s would have found another way in but by clicking their bait it made the process a whole lot easier for them. In addition, all of the information including the security questions, etc. were not encrypted with a secure system because it was easily decrypted by the Russian hackers. Even if someone had access to their database, they still could have protected their data better in order to protect their customers valuable information.