Yahoo! data breaches

Source: Wikipedia, the free encyclopedia.

In 2013 and 2014 Internet service company Yahoo! was subjected two of the largest data breaches on record.[1] Neither was revealed publicly until September 2016.

The 2013 data breach occurred on Yahoo! servers in August 2013.[2] and affected all three billion user accounts.[3][4] The 2014 breach affected over 500 million Yahoo! user accounts.[5] Both breaches are considered the largest ever discovered. Four hackers were indited over the second breach and one, Karim Baratov, was arrested and sentenced to five year imprisonment.

Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords.[6] [7]

Yahoo! has been criticized for their late disclosure of the breaches and their security measures. Yahoo! settled a class actions lawsuit for $117.5 million in relation to the breaches and was investigated by members of the United States Congress.[8] The breaches impacted Verizon Communication's July 2016 plans to acquire Yahoo![9]

August 2013 breach

The first data breach occurred on Yahoo! servers in August 2013.[2] and affected all three billion user accounts.[3][4] No information has been released about the method used and former CEO of Yahoo! Mayer testified before congress in 2017 that Yahoo! had been unable to determine who perpetrated the 2013 breach.[10]

Late 2014 breach

According to the U.S Department of Justice Indictment, during November or December 2014 Alexey Belan copied a November 2014 backup of Yahoo's User Account Database, containing details of over 500 million accounts to a computer under his control.[11]

The User Account Database included data from over 500 million user accounts, including account names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, encrypted or unencrypted security questions and answers through manipulated web cookies.[12][13][14] The majority of Yahoo!'s passwords used the bcrypt hashing algorithm, which is considered difficult to crack, with the rest using the older MD5 algorithm, which can be broken rather quickly.[15]

From October 2014 to at least November 2016, Belan and at least two others accessed user account information and contents for various unlawful actions including searching emails for gift voucher codes, deliberately targeting the accounts of persons of interest, improving the search ranking of businesses they had an interest in, and using the Yahoo data to breach accounts on other platforms such as Gmail.[16]

As part of this process, the hackers enlisted Karim Baratov to break into accounts on other platforms.[17]

In 2016 Baratov became the only person arrested in connection with the breach.

July 2016 to October 2017: Public Disclosures

In June 2016, it was reported that account names and passwords for about 200 million Yahoo! accounts were presented for sale on the darknet market site, "TheRealDeal".[18]

Yahoo! stated they were aware of the data and were evaluating it, cautioning users about the situation but did not reset account passwords at that time.[18]

Yahoo! officially reported the 2014 breach to the public on September 22, 2016 (during the last few weeks of Presidential election campaigning, which some commenters described as "a good day to bury the news," [19]). Yahoo!'s actions to deal with the breach included invalidating unencrypted security questions and answers and asking potentially affected users to change their passwords.[20] Yahoo! also claimed that there was no evidence that the attackers where still in the system.[20] The Federal Bureau of Investigation (FBI) confirmed that it was investigating the affair.[6]

In its November 2016 SEC filing, Yahoo! reported they had been aware of an intrusion into their network in 2014, but had not understood the extent of the breach until it began investigation of a separate data breach incident around July 2016.[21][22] Yahoo!'s previous SEC filing on September 9, prior to the breach announcement, had stated that it was not aware of any "security breaches" or "loss, theft, unauthorized access or acquisition" of user data.[23]

The November 2016 SEC filing noted that the company believed the data breach had been conducted through a cookie-based attack that allowed hackers to authenticate as any other user without their password.[21][19][24] ( In a regulatory filing in 2017, Yahoo! reported that 32 million accounts were accessed through this cookie-based attack through 2015 and 2016.[25])

In December 2016, Yahoo! disclosed the 2013 breach, and that that one billion user accounts had been compromised.[26] In October 2017 they revised that estimate and reported that all three billion user accounts had been compromised in the breach.[26]

Attribution and motivation

According to Yahoo!, the 2014 breach was carried out by a "state-sponsored actor"[27] Yahoo! in fall 2014 detected what it believed was a small breach "involving 30 to 40 accounts", carried out by hackers believed to be "working on behalf of the Russian government", according to Yahoo! executives, because it was launched from computers in that country. Yahoo! reported the incident to the FBI in late 2014 and notified affected users.[28]

Some expects suggested China as a potential sponsor of the attack.[29] Others expressed doubt about Yahoo's claim of the attack being state-sponsored, as it would be less embarrassing for Yahoo! to attribute an attack to a nation state, which typically have the most sophisticated hacking capabilities, than to attribute it to a cybercriminal group or individual[30] One of the effects, if not the direct goal, of the breaches was the use of the stolen usernames and passwords for credential stuffing attacks.[31]

Yahoo! stated that the 2013 breach is connected "to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016."[32]

Prosecution

On March 15, 2017, the FBI officially charged the 2014 breach to four men, including two that work for Russia's Federal Security Service (FSB). In its statement, the FBI said "The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI's point of contact in Moscow on cybercrime matters, is beyond the pale."[33] The four men accused include Alexsey Belan, a hacker on the FBI Ten Most Wanted Fugitives list, FSB agents Dmitry Dokuchaev and Igor Sushchin who the FBI accused of paying Belan and other hackers to conduct the hack, and Canadian hacker Karim Baratov who the FBI claimed was paid by Dokuchaev and Sushchin to use data obtained by the Yahoo! breaches to breach into about 80 non-Yahoo! accounts of specific targets.[34]

Baratov, the only man arrested, was extradited to the United States. He pled guilty, admitting to hacking into at least 80 email accounts on behalf of Russian contacts. He was charged with nine counts of hacking, and in May 2018 sentenced to 5 years in prison and ordered to pay US$2.25 million and restitution to his victims.[35] His memoir, written after his release, describes a party lifestyle funded by hacking into email accounts of thousands of people[36]

Security Culture at Yahoo!

Yahoo! hired a dedicated chief information security officer, Alex Stamos in 2014, which was praised by technology experts as showing Yahoo!'s commitment towards better security; however, Yahoo! CEO Marissa Mayer had reportedly denied Stamos and his security team sufficient funds to implement recommended stronger security measures, and he departed the company by 2015.

Experts have pointed out that Yahoo!, only until the most recent breaches, had not forced affected users to change their passwords, a move that Mayer and her team believed would drive users away from the service.[37] Some experts stated that implementing stronger security measures does take monetary resources, and Yahoo!'s financial situation has not allowed the company to invest in cybersecurity.[38]

Yahoo!'s internal review of the situation found that Mayer and other key executives knew of the intrusions but failed to inform the company or take steps to prevent further breaches. The review led to the resignation of the company's principle lawyer, Ronald S. Bell by March 2017, and Mayer's equity compensation bonus for 2016 and 2017 was pulled.[39]

Reactions and Criticism

Yahoo!'s delay in discovering and reporting these breaches, as well as implementing improved security features, has roundly criticised at all levels.[38]

Verizon Communications merger deal

In July 2016, prior to the announcement of the breaches Verizon Communications had entered into negotiations and approval to purchase a portion of the Yahoo! properties for $4.8 billion, with the deal set to close in March 2017.[40] Verizon had only become aware of the 2014 breach just two days prior to the Yahoo! September announcement.[6] CEO Lowell McAdam said he wasn't shocked by the hack, saying "we all live in an internet world, it's not a question of if you're going to get hacked but when you are going to get hacked". He left the door open to possibly renegotiate the $4.83 billion price tag.[41] In February 2017, Verizon and Yahoo! announced that the deal will still go forward, but dropping the sale price by $350 million, down to $4.48 billion.[42] The deal officially closed at this reduced price in June 2017, with Marissa Mayer stepping down as CEO following the closure.[43] Verizon and Yahoo! will share jointly in the ongoing costs for the government investigation of the breaches under this new term.[44] The remaining properties of Yahoo! not purchased by Verizon, which included the Alibaba Group, were renamed to Altaba in June 2017.[45]

United States government

Members of the U.S. Government have been critical of Yahoo!'s reactions to these breaches. In a letter to Yahoo! CEO Marissa Mayer, six Democratic U.S. Senators (Elizabeth Warren, Patrick Leahy, Al Franken, Richard Blumenthal, Ron Wyden and Ed Markey) demanded answers on when Yahoo! discovered the last 2014 breach, and why it took so long to disclose it to the public, calling the time lag between the security breach and its disclosure 'unacceptable'.[46][47][48] On September 26, 2016, democratic senator Mark Warner asked the U.S. Securities and Exchange Commission (SEC) to investigate whether Yahoo! and its senior executives fulfilled their obligations under federal securities laws to properly disclose the attack. In his letter,[49] Warner also asked the SEC to evaluate whether the current disclosure regime was adequate. Jacob Olcott, who helped develop the SEC data breach disclosure rules and former Senate Commerce Committee counsel, noted that due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo's discovery, the hack could become a test case of the SEC's guidelines.[50][51] Following the announcement of the August 2013 breach, Sen. Warner called for a full investigation of the situation, asking "why its cyber defenses have been so weak as to have compromised over a billion users".[52] In April 2018, the SEC announced that it had reached a deal with Altaba, the company that holds the assets of Yahoo! not purchased by Verizon, for US$35 million for failure to disclose the 2014 breach in a timely manner.[53]

Class action lawsuits

By November 9, 2016, it was reported that 23 lawsuits related to the late 2014 breach had been filed against Yahoo! so far.[22] In one lawsuit, filed in the U.S. District Court for the Southern District of California in San Diego, the plaintiffs contend that the hack caused an "intrusion into personal financial matters."

Five of these 23 cases were combined into a single suit in early December 2016.[54][55] The case was later amended to include the updated breach information following Yahoo!'s announcement about the August 2013 breach[56] Before trial could commence, Verizon and Altaba agreed to split the cost of a US$50 million settlement in October 2018 with those in the class action (an estimated 200 million total users), along with providing two years of free credit monitoring through AllClear ID.[57] Judge Koh rejected the settlement offer, questioning the lack of transparency of the details of the settlements, as well as high costs recouped by the lawyers through the settlement.[58] Yahoo! eventually agreed to settle for $117.5 million in April 2019, again offering affected users credit monitoring or a cash payout dependent on the number of respondents in the class.[59]

International

Foreign governments have also shown concerns on the several data breaches. On October 28, the European privacy regulators "Article 29 Working Party" outlined concerns about the 2014 data breach as well as allegations that the company built a system that scanned customers' incoming emails at the request of U.S. intelligence services in a letter[60] to Yahoo.[61] They asked Yahoo! to communicate all aspects of the data breach to the EU authorities, to notify the affected users of the "adverse effects" and to cooperate with all "upcoming national data protection authorities' enquiries and/or investigations".[62] In late November, Ireland's Data Protection Commissioner (DPC), the lead European regulator on privacy issues for Yahoo! whose European headquarters are in Dublin, said that it had stepped up its examination of the breach, that it was awaiting information from Yahoo! on allegations that it helped the U.S. government scan users' emails, and that Yahoo! was not investigating the breach but just examining it.[63] Germany's Federal Office for Information Security criticized Yahoo! following the December 2016 announcement, stating "security is not a foreign concept", and warned government and other German users to seek email and Internet solutions from companies with better security approaches.[64]

See also

References

  1. ^ Cook, James (October 16, 2020). "British Airways fined £20m for data breach affecting 400,000 customers". The Telegraph. ISSN 0307-1235. Archived from the original on October 17, 2020. Retrieved October 17, 2020.
  2. ^ a b Goel, Vindu (December 14, 2016). "Yahoo Says 1 Billion User Accounts Were Hacked". The New York Times. Archived from the original on December 14, 2016. Retrieved December 14, 2016.
  3. ^ a b McMillan, Robert; Knutson, Ryan (October 3, 2017). "Yahoo Triples Estimate of Breached Accounts to 3". The Wall Street Journal. Archived from the original on January 26, 2021. Retrieved October 3, 2017.
  4. ^ a b Haselton, Todd (October 3, 2017). "Yahoo just said every single account was affected by 2013 attack — 3 billion in all". CNBC. Archived from the original on October 3, 2017. Retrieved October 3, 2017.
  5. ^ Perlroth, Nicole (September 22, 2016). "Yahoo Says Hackers Stole Data on 500 Million Users in 2014". The New York Times. Archived from the original on September 22, 2016. Retrieved September 22, 2016.
  6. ^ a b c "Yahoo 'state' hackers stole data from 500 million users". BBC News. September 23, 2016. Archived from the original on September 23, 2016. Retrieved September 23, 2016.
  7. ^ Gammarays (January 16, 2009). "A Post-mortem of Yahoo! Account Security". Exploit Database. Archived from the original on February 16, 2020. Retrieved February 16, 2020.
  8. ^ Shankar, Nithya, and Zareef Mohammed. “Surviving Data Breaches: A Multiple Case Study Analysis.” Journal of comparative international management 23.1 (2020): 35–54. Web.
  9. ^ Goel, Vindu (February 21, 2017). "Verizon Will Pay $350 Million Less for Yahoo (Published 2017)". The New York Times. ISSN 0362-4331. Archived from the original on November 11, 2020. Retrieved November 8, 2020.
  10. ^ Shabad, Rebecca (November 8, 2017). "Yahoo hack, Equifax data breach hearing: Richard Smith and Marissa Mayer will testify to Senate Commerce Committee". www.cbsnews.com. Retrieved March 26, 2024.
  11. ^ U.S. Department of Justice. "Indictment". Department of Justice. Retrieved March 26, 2024.
  12. ^ Newcomb, Alyssa (September 22, 2016). "Yahoo Says 'State-Sponsored Actor' Hacked 500M Accounts". NBC News. Archived from the original on September 22, 2016. Retrieved September 22, 2016.
  13. ^ "Account Security Issue FAQs". Yahoo!. Archived from the original on September 22, 2016. Retrieved September 23, 2016.
  14. ^ Shankar, Nithya, and Zareef Mohammed. “Surviving Data Breaches: A Multiple Case Study Analysis.” Journal of comparative international management 23.1 (2020): 35–54. Web.
  15. ^ Goodin, Dan (September 22, 2016). "Yahoo says half a billion accounts breached by nation-sponsored hackers". Ars Technica. Archived from the original on December 15, 2016. Retrieved December 15, 2016.
  16. ^ U.S. Department of Justice. "Indictment". Department of Justice. Retrieved March 26, 2024.
  17. ^ Baratov, Karim (January 22, 2023). Disconnected: A Memoir of the Yahoo Hacker.
  18. ^ a b Cox, Joseph (August 1, 2016). "Yahoo 'Aware' Hacker Is Advertising 200 Million Supposed Accounts on Dark Web". Vice. Archived from the original on December 15, 2016. Retrieved December 16, 2016.
  19. ^ a b "Yahoo knew of 'state-backed' hack in 2014". BBC News. November 10, 2016. Archived from the original on November 10, 2016. Retrieved November 10, 2016.
  20. ^ a b "An Important Message to Yahoo Users on Security". www.businesswire.com. September 22, 2016. Retrieved March 26, 2024.
  21. ^ a b "Yahoo discovered hack leading to major data breach two years before it was disclosed". The Washington Post. Archived from the original on November 11, 2016. Retrieved November 10, 2016.
  22. ^ a b Goel, Vindu (November 10, 2016). "Yahoo Employees Knew in 2014 About State-Sponsored Hacker Attack". The New York Times. Archived from the original on November 10, 2016. Retrieved November 10, 2016.
  23. ^ McMillan, Robert. "Yahoo Hackers Were Criminals Rather Than State-Sponsored, Security Firm Says". The Wall Street Journal. Archived from the original on October 15, 2016. Retrieved October 15, 2016.
  24. ^ Vaas, Lisa (November 11, 2016). "Yahoo staff knew they were breached two years ago". Naked Security. Archived from the original on December 17, 2016. Retrieved December 12, 2016.
  25. ^ Lawler, Richard (March 1, 2017). "Yahoo hackers accessed 32 million accounts with forged cookies". Engadget. Archived from the original on March 2, 2017. Retrieved March 1, 2017.
  26. ^ a b Rushe, Dominic (October 3, 2017). "Yahoo says all of its 3bn accounts were affected by 2013 hacking". The Guardian. ISSN 0261-3077. Retrieved March 26, 2024.
  27. ^ Tsukayama, Hayley; Timberg, Craig; Fung, Brian (September 22, 2016). "Yahoo confirms data breach affecting at least 500 million accounts". The Washington Post. Archived from the original on September 22, 2016. Retrieved September 22, 2016.
  28. ^ McMillan, Robert. "Yahoo Executives Detected a Hack Tied to Russia in 2014". The Wall Street Journal. Archived from the original on September 25, 2016. Retrieved September 25, 2016.
  29. ^ Murgia, Madhumita (September 23, 2016). "Cyber experts look to usual suspects in Yahoo hack". Financial Times. Archived from the original on September 25, 2016. Retrieved September 25, 2016.
  30. ^ Solon, Olivia (September 23, 2016). "China and Russia lead list of Yahoo hack suspects — but some doubt theory". The Guardian. Archived from the original on October 18, 2016. Retrieved September 25, 2016.
  31. ^ Horgan, Richard. "Yahoo Breach May Have Led to 'Credential Stuffing'". AdWeek. Archived from the original on March 24, 2017. Retrieved March 23, 2017.
  32. ^ Wells, Nicholas; Fahey, Mark (December 15, 2016). "How Yahoo's 1 billion account breach stacks up with the biggest hacks ever". CNBC. Archived from the original on December 15, 2016. Retrieved December 15, 2016.
  33. ^ Goel, Vindu (March 15, 2017). "Russian Agents Were Behind Yahoo Breach, U.S. Says". The New York Times. Archived from the original on March 16, 2017. Retrieved March 15, 2017.
  34. ^ Raymond, Nate (November 24, 2017). "Canadian charged in Yahoo hacking case to plead guilty in U.S." Reuters. Archived from the original on November 26, 2017. Retrieved November 27, 2017.
  35. ^ Moon, Mariella (May 30, 2018). "Attacker involved in 2014 Yahoo hack gets five years in prison". Engadget. Archived from the original on May 31, 2018. Retrieved May 30, 2018.
  36. ^ "Disconnected: A Memoir of the Yahoo Hacker eBook : Baratov, Karim: Amazon.co.uk: Kindle Store". www.amazon.co.uk. Retrieved March 26, 2024.
  37. ^ Perlroth, Nicole; Goel, Vindu (September 28, 2016). "Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say". The New York Times. Archived from the original on December 15, 2016. Retrieved December 15, 2016.
  38. ^ a b "Why Yahoo's Security Problems Are a Story of Too Little, Too Late". Reuters. December 19, 2016. Archived from the original on December 19, 2016. Retrieved December 19, 2016.
  39. ^ Goel, Vindu (March 1, 2017). "Yahoo's Top Lawyer Resigns and C.E.O. Marissa Mayer Loses Bonus in Wake of Hack". The New York Times. Archived from the original on March 16, 2017. Retrieved March 15, 2017.
  40. ^ Larson, Selena (September 23, 2016). "Yahoo facing lawsuits in the wake of massive data breach". CNN. Archived from the original on September 25, 2016. Retrieved September 25, 2016.
  41. ^ Knutson, Ryan; Wells, Georgia (October 10, 2016). "Verizon CEO Says Evaluating Whether Yahoo Hack Had 'Material Impact'". The Wall Street Journal. ProQuest 1827509919. Archived from the original on February 22, 2017. Retrieved March 23, 2023.
  42. ^ "Yahoo Data Breach: What Actually Happened?". BPB Online. Archived from the original on April 28, 2021. Retrieved April 28, 2021.
  43. ^ "Verizon closes Yahoo deal, Mayer steps down". Reuters. June 14, 2017. Archived from the original on June 13, 2017. Retrieved June 14, 2017.
  44. ^ "Verizon revises deal with Yahoo to $4.48 billion". Reuters. February 21, 2017. Archived from the original on February 22, 2017. Retrieved February 21, 2017 – via CNBC.
  45. ^ La Monica, Paul (June 19, 2017). "So long, Yahoo. Hello ... Altaba?". CNN. Archived from the original on April 13, 2018. Retrieved April 24, 2018.
  46. ^ "Letter to Marissa Mayer signed by 6 senators" (PDF). leahy.senate.gov. Archived (PDF) from the original on October 3, 2016. Retrieved September 30, 2016.
  47. ^ Fisher, Dennis (September 28, 2016). "Senators Demand Answers of Mayer on Yahoo Data Breach". OnTheWire. Archived from the original on October 2, 2016. Retrieved September 30, 2016.
  48. ^ Kuchler, Hannah (September 27, 2016). "US senators demand answers from Yahoo". The Financial Times. Archived from the original on March 23, 2023. Retrieved September 30, 2016.
  49. ^ "20160926 Letter to SEC on Yahoo Breach". Archived from the original on December 17, 2016. Retrieved December 13, 2016.
  50. ^ Volz, Dustin (September 30, 2016). "Yahoo hack may become test case for SEC data breach disclosure rules". Reuters. Archived from the original on October 4, 2017. Retrieved December 13, 2016.
  51. ^ "Sen. Warner Calls on SEC to Investigate Disclosure of Yahoo Breach" (Press release). Mark Warner. September 26, 2016. Archived from the original on December 12, 2016. Retrieved December 13, 2016.
  52. ^ Roumeliotis, Greg; Volz, Dustin (December 15, 2016). "Yahoo shares fall on worries new breach will kill Verizon deal". Reuters. Archived from the original on December 15, 2016. Retrieved December 15, 2016.
  53. ^ Kastrenakes, Jacob (April 24, 2018). "SEC issues $35 million fine over Yahoo failing to disclose data breach". The Verge. Archived from the original on April 24, 2018. Retrieved April 24, 2018.
  54. ^ Baron, Ethan (December 8, 2016). "Yahoo data-breach class-action lawsuits joined together in San Jose federal court". Silicon Beat. Archived from the original on December 11, 2016. Retrieved December 15, 2016.
  55. ^ Stempel, Jonathan (August 31, 2017). "Yahoo must face litigation by data breach victims: U.S. judge". Reuters. Archived from the original on September 1, 2017. Retrieved August 31, 2017.
  56. ^ Stempel, Jonathan (March 12, 2018). "Data breach victims can sue Yahoo in the United States: judge". Reuters. Archived from the original on March 12, 2018. Retrieved March 12, 2018.
  57. ^ Liedtke, Michael (October 23, 2018). "Yahoo to pay $50M, other costs for massive security breach". ABC News. Archived from the original on October 23, 2018. Retrieved October 23, 2018.
  58. ^ Fingas, Jon (January 29, 2019). "Judge rejects Yahoo's proposed settlement over data breaches". Engadget. Archived from the original on January 29, 2019. Retrieved January 29, 2019.
  59. ^ Brodkin, Jon (April 10, 2019). "Yahoo tries to settle 3-billion-account data breach with $118 million payout". Ars Technica. Archived from the original on October 1, 2019. Retrieved October 1, 2019.
  60. ^ "ARTICLE 29 Data Protection Working Party Letter To Yahoo!" (PDF). Archived (PDF) from the original on November 4, 2016. Retrieved November 2, 2016.
  61. ^ Drozdiak, Natalia (October 28, 2016). "EU Issues Data-Protection Warning to WhatsApp, Yahoo". The Wall Street Journal. ProQuest 1833042031. Archived from the original on January 4, 2017. Retrieved March 23, 2023.
  62. ^ Fioretti, Julia (October 28, 2016). "EU data protection watchdogs warn WhatsApp, Yahoo on privacy". Reuters. Archived from the original on October 29, 2016. Retrieved October 29, 2016.
  63. ^ Bergin, Tom (November 21, 2016). "Irish data regulator steps up Yahoo hack probe, waits on email scanning". Reuters. Archived from the original on November 26, 2016. Retrieved November 26, 2016.
  64. ^ "Germany Slams Yahoo Over Cybersecurity Practices". Reuters. December 15, 2016. Archived from the original on December 16, 2016. Retrieved December 15, 2016.

External links