yahoo data breach 2013 case study pdf

Corporate Directors’ and Officers’ Cybersecurity Standard of Care: The Yahoo Data Breach

66 American University Law Review, 1231 (2017).

61 Pages Posted: 13 Dec 2016 Last revised: 24 Dec 2017

Lawrence J. Trautman

Prairie View A&M University - College of Business; Texas A&M University School of Law (By Courtesy)

Peter Ormerod

Northern Illinois University College of Law

Date Written: February 9, 2017

On September 22, 2016 Yahoo! Inc. announced that a data breach and theft of information from over 500 million user accounts had taken place during 2014 (the largest data breach ever at the time), likely including names, birthdays, telephone numbers, email addresses, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers. Yahoo further disclosed their belief that the stolen data “did not include unprotected passwords, payment card data, or bank account information. Just two months before Yahoo disclosed its 2014 data breach, a proposed sale of the company’s core business to Verizon Communications was announced. Then, during mid-December 2016, Yahoo announced that another 1 billion customer accounts had been compromised during 2013, a new record for largest data breach. Social media and electronic commerce websites face significant risk factors and mergers and acquisitions may bring cyber liability and vulnerabilities to the acquirer. The fact pattern in this announced acquisition raises a number of important corporate governance issues, including: whether Yahoo’s conduct leading up to the data breaches and its subsequent conduct constitutes a breach of the duty to provide security, the duty to monitor, the duty to disclose, or some combination thereof; whether the directors of Verizon will feel compelled to renegotiate pricing for the proposed acquisition of Yahoo given disclosure of the 2013 and 2014 data breaches; and whether clawbacks in compensation granted to key Yahoo executives are now in order? We believe that cybersecurity remains a threat to all enterprises and this article contributes to the corporate governance literature, particularly as it applies to mergers and acquisitions and the management risk.

Keywords: Alibaba; Caremark; Corporate Governance; Compensation Clawbacks; Cybersecurity; Data Breach; Director and Officer (D&O) Liability; Duties of Care; Loyalty; disclose; monitor; provide data security; Hackers; Mergers and Acquisitions; Nortel software acquisition; Privacy

Suggested Citation: Suggested Citation

Lawrence J. Trautman (Contact Author)

Prairie view a&m university - college of business ( email ).

Prairie View, TX United States

Texas A&M University School of Law (By Courtesy) ( email )

1515 Commerce St. Fort Worth, TX Tarrant County 76102 United States

Northern Illinois University College of Law ( email )

Swen Parson Hall DeKalb, IL 60115 United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics, related ejournals, cyberspace law ejournal.

Subscribe to this fee journal for more curated articles on this topic

Corporate Governance Law eJournal

Securities law ejournal, io: empirical studies of firms & markets ejournal, corporate governance & law ejournal, corporate governance: actors & players ejournal, ebusiness & ecommerce ejournal, cybersecurity & data privacy law & policy ejournal.

• Share full article

Advertisement

Supported by

All 3 Billion Yahoo Accounts Were Affected by 2013 Attack

By Nicole Perlroth

• Oct. 3, 2017

It was the biggest known breach of a company’s computer network. And now, it is even bigger.

Verizon Communications, which acquired Yahoo this year, said on Tuesday that a previously disclosed attack that had occurred in 2013 affected all three billion of Yahoo’s user accounts.

Last year, Yahoo said the 2013 attack on its network had affected one billion accounts. Three months before that, the company also disclosed a separate attack, which had occurred in 2014, that had affected 500 million accounts.

Digital thieves made off with names, birth dates, phone numbers and passwords of users that were encrypted with security that was easy to crack.

The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world.

Yahoo sold itself to Verizon for $4.48 billion in June. But the deal was nearly derailed by the disclosure of the breaches and $350 million was cut from Verizon’s original offer . Yahoo was combined with AOL, another faded web pioneer that Verizon bought in 2015, into a new division of the telecommunications company called Oath.

That investigators did not discover the full extent of the 2013 incident before Verizon closed the deal to acquire Yahoo in June was surprising to outside cybersecurity analysts.

We are having trouble retrieving the article content.

Please enable JavaScript in your browser settings.

Thank you for your patience while we verify access. If you are in Reader mode please exit and  log into  your Times account, or  subscribe  for all of The Times.

Thank you for your patience while we verify access.

Already a subscriber?  Log in .

Want all of The Times?  Subscribe .

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

Inside the Russian hack of Yahoo: How they did it

A single click was all it took to launch one of the biggest data breaches ever.

One mistaken click. That’s all it took for hackers aligned with the Russian state security service to gain access to Yahoo’s network and potentially the email messages and private information of as many as 500 million people.

Of course, that 2014 breach, was soon dwarfed by revelations of a second breach that took place a year earlier and which at the time was said to have compromised 1 billion Yahoo user accounts . On Tuesday, Yahoo said that, in fact, all 3 billion user accounts were affected.

The U.S. Federal Bureau of Investigation investigated the 2014 intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. In March 2017, the FBI indicted four people for the attack, two of whom are Russian spies.

Here’s how the FBI says they did it:

The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It’s unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.

Once Aleksey Belan, a Latvian hacker hired by the Russian agents, started poking around the network, he looked for two prizes: Yahoo’s user database and the Account Management Tool, which is used to edit the database. He soon found them.

So he wouldn’t lose access, he installed a backdoor on a Yahoo server that would allow him access, and in December he stole a backup copy of Yahoo’s user database and transferred it to his own computer.

The database contained names, phone numbers, password challenge questions and answers and, crucially, password recovery emails and a cryptographic value unique to each account.

It’s those last two items that enabled Belan and fellow commercial hacker Karim Baratov to target and access the accounts of certain users requested by the Russian agents, Dmitry Dokuchaev and Igor Sushchin.

A U.S. District Court endictment for four people accused of hacking Yahoo is seen against FBI wanted posters.

The account management tool didn’t allow for simple text searches of user names, so instead the hackers turned to recovery email addresses. Sometimes they were able to identify targets based on their recovery email address, and sometimes the email domain tipped them off that the account holder worked at a company or organization of interest.

Once the accounts had been identified, the hackers were able to use stolen cryptographic values called “nonces” to generate access cookies through a script that had been installed on a Yahoo server. Those cookies, which were generated many times throughout 2015 and 2016, gave the hackers free access to a user email account without the need for a password.

Throughout the process, Belan and his colleague were clinical in their approach. Of the roughly 500 million accounts they potentially had access to, they only generated cookies for about 6,500 accounts.

The hacked users included an assistant to the deputy chairman of Russia, an officer in Russia’s Ministry of Internal Affairs and a trainer working in Russia’s Ministry of Sports. Others belonged to Russian journalists, officials of states bordering Russia, U.S. government workers, an employee of a Swiss Bitcoin wallet company and a U.S. airline worker.

So clinical was the attack that when Yahoo first approached the FBI in 2014, it went with worries that 26 accounts had been targeted by hackers. It wasn’t until late August 2016 that the full scale of the breach began to become apparent and the FBI investigation significantly stepped up.

In December 2016, Yahoo went public with details of the breach and advised hundreds of millions of users to change their passwords.

More on the Yahoo breach:

• Yahoo execs botched its response to 2014 breach, investigation finds
• Here’s what you should know, and do, about the Yahoo breach
• Yahoo shows that breach impacts can go far beyond remediation expenses
• The massive Yahoo hack ranks as the world’s biggest — so far

Related content

What is tor browser software for protecting your identity online, the metaverse brings a new breed of threats to challenge privacy and security gatekeepers, the heartbleed bug: how a flaw in openssl caused a security crisis, cis hardened images built on google cloud’s shielded vms, from our editors straight to your inbox.

Martyn Williams produces technology news and product reviews in text and video for PC World, Macworld, and TechHive from his home outside Washington D.C.. He previously worked for IDG News Service as a correspondent in San Francisco and Tokyo and has reported on technology news from across Asia and Europe.

More from this author

How to protect your google and facebook accounts with a security key, trump’s cybersecurity mystery: 90 days in, where’s the plan, trump extends obama executive order on cyberattacks, four charged, including russian gov’t agents, for massive yahoo hack, trump to sign cybersecurity order calling for government-wide review, us park service tweets were result of old twitter passwords, the us has sanctioned russia over election hacking, trump, tech leaders avoided encryption and surveillance talk at summit, most popular authors.

Show me more

Tool used by ransomware groups now seen killing edr: report.

Cisco snaps up AI security player Robust Intelligence

Critical plugin flaw opens over a million WordPress sites to RCE attacks

CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe

CSO Executive Session India with Dr Susil Kumar Meher, Head Health IT, AIIMS (New Delhi)

CSO Executive Session India with Charanjit Bhatia, Head of Cybersecurity, COE, Bata Brands

Cybersecurity Insights for Tech Leaders: Addressing Dynamic Threats and AI Risks with Resilience

The Yahoo Breaches of 2013 and 2014

• First Online: 25 February 2021

Cite this chapter

• Neil Daswani 3 &
• Moudy Elbayadi 4  

1981 Accesses

3 Citations

In 2016, Yahoo disclosed to the public that it had been breached in 2014. Yahoo’s 2014 breach exposed the names, email addresses, telephone numbers, birthdates, “hashed” passwords, and, in some cases, security questions of over 500 million users. While investigating the breach of 2014, Yahoo discovered that the company had been separately breached in 2013. Yahoo initially reported that the 2013 breach affected over one billion users while it was in the process of getting acquired by Verizon. In October 2017, after its acquisition by Verizon was complete, Yahoo reported that the 2013 breach affected all three billion users. Figure 7-1 shows a timeline of these breaches and the major events that occurred after the breaches. Yahoo was questioned and criticized for disclosing the breaches two to three years after they occurred. During a Senate hearing that took place in the aftermath of the breaches, frustrated Senator Thune of South Dakota asked former Yahoo CEO Marissa Mayer, “Why the delay in disclosing it? I mean it took from 2013, three years.”

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save.

• Get 10 units per month
• Download Article/Chapter or eBook
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime
• Available as EPUB and PDF
• Read on any device
• Instant download
• Own it forever
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Source: https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users

Source: www.commerce.senate.gov/2017/11/executive-session

www.sec.gov/Archives/edgar/data/1011006/000119312517065791/d293630d10k.htm

Passwords in Yahoo’s systems were hashed using the bcrypt algorithm described in “A Future-Adaptable Password Scheme” by Niels Provos and David Mazieres, published in the 1999 USENIX Annual Technical Conference and MD5, the Message Digest algorithm described in IETF RFC 1321.

More information about how password security systems should be architected can be found in Chapter 9 of Foundations of Security by Neil Daswani, Christoph Kern, and Anita Kesavan (Apress, 2007).

www.sec.gov/news/press-release/2018-71

Many websites will also send your browser a cookie before you log in, but the specific type of cookie that we are referring to here is an authentication cookie as opposed to a tracking cookie.

The name nonce comes from the fact that it is a number that should be used only once .

See Chapter 2 , Section 6 of Foundations of Security , on “Security by Obscurity” by Neil Daswani, Christoph Kern, and Anita Kesavan (Apress, 2007).

www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html

Author information

Authors and affiliations.

Pleasanton, CA, USA

Neil Daswani

Carlsbad, CA, USA

Moudy Elbayadi

You can also search for this author in PubMed   Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Neil Daswani and Moudy Elbayadi

About this chapter

Daswani, N., Elbayadi, M. (2021). The Yahoo Breaches of 2013 and 2014. In: Big Breaches. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-6655-7_7

Download citation

DOI : https://doi.org/10.1007/978-1-4842-6655-7_7

Published : 25 February 2021

Publisher Name : Apress, Berkeley, CA

Print ISBN : 978-1-4842-6654-0

Online ISBN : 978-1-4842-6655-7

eBook Packages : Professional and Applied Computing Apress Access Books Professional and Applied Computing (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

• Skip to main content
• Keyboard shortcuts for audio player

The Two-Way

Every yahoo account that existed in mid-2013 was likely hacked.

Alina Selyukh

A new disclosure from Yahoo — now known as Oath after it was bought by telecom company Verizon — dramatically escalates the size of the 2013 hack revealed last year. Marcio Jose Sanchez/AP hide caption

A new disclosure from Yahoo — now known as Oath after it was bought by telecom company Verizon — dramatically escalates the size of the 2013 hack revealed last year.

Every user who had a Yahoo account in August 2013 was likely affected by its massive hack, the company's parent, Verizon, said Tuesday.

This latest disclosure triples the number of accounts compromised by the major 2013 data breach that the company disclosed late last year . At the time, Yahoo said hackers had stolen data associated with 1 billion user accounts; the new disclosure escalates that number to 3 billion.

Despite news of the hack's much-broader scope, the company says the steps needed to protect all of its users were already taken last year, when the hack was first discovered.

As originally announced , hackers in the 2013 breach stole account information such as names, email addresses, phone numbers, birth dates as well as hashed passwords and security questions and answers. Yahoo, now known as Oath, says in late 2016 it forced password changes for all accounts that haven't done so since 2013 and invalidated old security questions and answers.

Credit card and bank account data was not taken in the breach, according to the company's investigation.

Yahoo learned that the already-vast breach had ballooned thanks to new intelligence "obtained" recently, after Verizon closed its deal to buy Yahoo. Verizon has folded together the tech giant and previously purchased AOL under the umbrella brand Oath.

Oath spokesman Charles Stewart did not elaborate on how the information was obtained, but said the new intelligence led to a new investigation by the company's security team, completed less than a week ago.

The security industry's favorite adage is that there are two types of companies: those that have been hacked and those that don't know they have been hacked. Among those that know, Yahoo stands out.

Over the course of 2016, Yahoo set and then beat its own record for the largest-ever disclosed data breach. Last September, Yahoo reported an incident affecting 500 million accounts that took place in 2014. Then, in December, came the disclosure of the 2013 hack, which was presented as "likely distinct."

The 2014 hack was believed to be state-sponsored and later led to a trial of a Canadian hacker and charges against Russian government agents — a relatively rare development for crimes of such caliber. But many questions remain about the 2013 hack and its perpetrators; in fact, the company has been unable to identify the intrusion.

An internal investigation by Yahoo's board in March found that the company's information security team, senior executives and some legal staff were aware of a state-sponsored hack in 2014, according to a regulatory filing , that adds:

"It appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team. ... However, the Independent Committee did not conclude that there was an intentional suppression of relevant information. "Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it."

Yahoo's then-top lawyer resigned without severance pay as a result, and then-CEO Marissa Mayer lost her 2016 bonus. She later left the company as Yahoo was bought by Verizon.

• cybersecurity
• data breach
• cybersecurity breach

Many things

Yahoo Data Breach – A Case Study

Yahoo! was the leading internet service company in the early days of technology until it faced a series of data breached which occurred across from 2013 to 2017 (Condliffe, 2016).In 2013, it had “800 million active users globally” and 350 of those are mobile users (DICKEY, 2013). However, it was not until the beginning of 2016 that the breach of user data across multiple occasion was revealed to the public and by February of 2017, the number of active user dropped to 225 million according to TechCrunch, an online tech publisher residing under the same parent company with Yahoo, Verizon Telecommunication (Perez, 2017).

This case study attempts to examine the characteristic and history of each of those security breaches and how they could shift Yahoo’s trajectory towards its downfall after it enjoyed the pinnacle of success.

I. Introduction

Yahoo was once in 2000, a 125 billion dollar company (FOX, 2016) but after the waves of security incidents, revelation and management failure, it was sold for just 4.48 billion to Verizon Media in July 2017, an American telecommunications company having its CEO, Marissa Mayor resigned (Kharpal, 2017).

II.                Historical timeline of breaches and Yahoo response

From 2012 to 2014 Yahoo security system was infiltrated across multiple occasions (Condliffe, 2016). We will investigate each occurrence of each cyber incident by studying how each of them unfolded, how Yahoo responded, and the lesson learn from each of them.

1.      2012 Yahoo! Voices Hack

I.      how yahoo voices breached its data.

In 2010, Yahoo bought Associate Content, an online publishing start-up at the time for around 100 million dollars then rebranded as Yahoo! Voices. In 12 th of July 2012, there were 450,000 unencrypted passwords and usernames began its circulation in online world. According to Forbes, hacker group “D33DS” declared his action on this breach quoting such attack was rather a wakeup call than a threat (Greenberg, 2012).

According to Joseph Bonneau, a Cambridge security researcher who previously worked at Yahoo, he stated that although Yahoo had already completed the acquisition of its smaller counter-part, but it failed to integrate it to its system leaving Yahoo Voices vulnerable to attack (Goldman, 2012).

            Figure 2 above illustrates the credential information was being shared online in “plaintext” with .txt extension on the hacker’s website at the time (Kaufman, 2012).

According to CCN Money, Yahoo Voices at the time had poorly secured website enabling hacker to perform “SQL injection”. The hacker crawled to the database which was residing in the server by simply inputting commands “into the search field or URL”. Then once he arrived at the database, the username and password were stored in “plaintext” (Goldman, 2012) .

SQL injection was not new to the world as it was discovered back in 1998 by Jeff Forristal, a CTO of a private security firm (Kerner, 2013).

ii.      Yahoo response

            In the Thursday morning of 12 th July 2012, Yahoo began its investigation and in a statement to BBC, Yahoo stated that ” We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised” (BBC, 2012).

            In January 2013, Yahoo! Voices was shut down and replaced by Yahoo Messenger (Doke, 2012).

iii.      Lesson learn from Yahoo! Voices

The main root cause of this particular incident is SQL injection; however, it depicts both technical and policy failure. Therefore, it is important that these two must be in sync to prevent further attack.

Technical standpoint:

• Infuse information security awareness into software, web and other product development life cycle
• Perform various types of penetration testing on timely manner
• System hardening through various means that may include the deployment of the WAF (Web Application Firewall) (Rubens, 2018).

Legal and business standpoint:

• Implement the requirement for a contract for security standard. The contract must explicitly include level of acceptable security level.
• Business merging must also focus on technical level integration and must state the process clearly in the acquisition statement
• Require that all product must be tested prior to its deployment
• Prescribe a compulsory security report specifying area of concern and measure taken from all stakeholders (IMPERVA, 2013).

2.      2016 Data breach revelation

 Data breach that occurred in an extended period of time between 2013 and 2015 was considered as the largest data breach in the corporate history (Sanchez, 2018).

Figure 4 above depicts the timeline of all Yahoo hack occurrence and their announcement, curated from multiple new sources including CNN, NYTimes and The Guardians.

The 2 nd hack was announced first by Yahoo, the 1 st hack was announced second, then followed by the 3 rd hack, and then Yahoo went back and re-stated the fact of the 1 st hack after 8 months of the 3 rd hack announcement.

It took Yahoo 4 years to fully recognize that all 3 billion user data were compromised and landed itself in series of lawsuit with all stakeholders (Garun, 2017).

This section will discuss the three breaches according to its discovery timestamp in detail on how they unfold, how Yahoo responded, lessons learned and draw a conclusion of why one of the most successful companies in the tech industry failed.

i.        2016 September – Discovered the 2 nd breach from 2014

A.      how 2 nd hack occurred: phishing email.

Yahoo stated in its blog that the first cyber infiltration in 2014 was the first to be discovered (YAHOO, 2016).  

Figure 5 shows the sale of Yahoo user data by the hacker “peace_of_mind” who also have sold “data dumps” of Myspace and LinkedIn (Cox, 2016).

Initially, Yahoo was not aware of the hack until the user credentials above was openly sold in the dark web for 3 bitcoins and Vice media, a Canadian digital media company published an article about the advertisement of that data dump in early August of 2016. The seller claimed that the particular Yahoo user data were mostly from 2012 (Cox, 2016).

Yahoo then began its investigation then one month later in 22 nd September 2016, it admitted its data breach and confirmed that not 200 million as claimed by the hacker but 500 million user accounts were compromised and not in 2012 , it was in fact in 2014 (GREENBERG, 2016). 

FBI stated that the hack was carried out using “spear-phishing email sent in early 2014 to a Yahoo company employee”. However, it was unclear how many were targeting but it only takes one employee to click one link for the hack to occur (Williams, 2017).

Figure 6 shows the comparison of other breaches in the history and seemingly it was the largest breach ever recorded (Lazaro & Chris, 2017).

b.      Yahoo & Public response

On September 9 th Yahoo publicly denied any breaches while it was in the middle of negotiation of its acquisition to Version Media for 4.8 billion. However, 11 days later after its denial, Yahoo ‘discloses the breach’ to Verizon and made it public on the 22 nd of September 2016 (SZOLDRA, 2016).

In a blog by Yahoo’s own CISO, Bob Lord, stated that the hack was done by a ‘state-sponsored’ hacker. He continued that the compromised information was “telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers”. Mr. Lord elaborated that the stolen data does not contain crucial information including “unprotected passwords, payment card data, or bank account information; payment card data and bank account information” (Lord, 2016).

In addition to be the largest breach in the history, Yahoo faced waves of criticism from all aspect of security. Its CISO stated that Yahoo has been using MD5 hashing algorithm all along and it only began migrating to ‘bcrypt’ hashing algorithm in ‘summer of 2013’.

If we were to make conclusion using the timeline, the majority of Yahoo password that were stolen used MD5 hashing algorithm (lord, 2017). MD5 algorithm is wide known to be vulnerable to hacking (GOODIN, 2016).

Yahoo’s CISO also specified in his blog the necessary steps Yahoo took to resolve the problem:

• Notifying all affecting user about the breach. Notifying them to change passwords and security questions etc.
• Prevented unencrypted security questions from being used
• User not changing his password since 2014 but do so
• Worked with law enforcement to further resolve catastrophic result of the breach (Lord, 2016)

On November 2016, Yahoo admitted that it knew about the attack in 2014 all along (Lee, 2016).

On March of 2017, FBI charged two Russian intelligent officers with “directing a sweeping criminal conspiracy” (Goel & Lichtblau, 2017). On May 2018, Karim Baratov who worked with the two hackers was convicted by the supreme court and received 5 years sentence (Mathews, 2018).

ii.  2016 December – Discovered 1 st breach from 2013

One month after Yahoo confession of its awareness of 2 nd  attack, on December 16 th 2016, it disclosed a breach of 1 billion user accounts (Goel & Nicole, 2016).

This breach was encountered after its analysis of “data files, provided by law enforcement, that an unnamed third party had claimed contained Yahoo information” (Goel & Nicole, 2016). Surprisingly, Andrew Komarov, a CIO of a cyber sec firm found a list of one billion Yahoo accounts being sold in the dark web for $300,000 (Larson, 2016).

According to New York times, this time the stolen information comprises of “sensitive user information, including names, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions”.

iii. 2017 February – Discovered 3 rd breach during 2015 to 2016

A.      how 3 rd hack occurred: cookie attack.

On February 16 th of 2017, Yahoo warned its user about a possible user account compromise between 2015 and 2016. It said that the hacker might have stolen “Yahoo’s source code” and created forged cookies allowing them to login with the use of login detail (Solon, 2017).

On March 2 nd , about two weeks later, Yahoo admitted that there were 32 million users account were accessed using “forged cookies” by the same intruder who was responsible for the 2014 breach (Lawler, 2017).

“Forged cookies” were used to bypass the requirement of the user credentials therefore allowing hacker the access to any accounts with knowing any login information, in Yahoo statement to the SEC, U.S. Securities and Exchange Commission (Newcomb, 2017).

Figure above shows the statistics of different types of cyber-attack in recent year. “Forged cookies” or “cookie hijacking” falls in the category of “cross-site scripting” which is accountable for 11% of all cyber incidents (Mansfield, 2018).

Yahoo spokesperson said that all affected user are in the process of being notified and it has “invalidated the forged cookies so they cannot be used again” (Solon, 2017).

Former CEO Marissa Mayer posted in her tumbler blog saying that she had worked with “the team” to inform all stakeholders including “users, regulators and government agencies”. She went on adding that  she had agreed to “forgo” her annual bonus and equity grant in that particular year and she wished to distributed her bonus to the all employees (Marissa, 2017).

iv. 2017 October – Re-discovered 1 st breach from 2013

A.      how 1 st hack resurfaced.

Surprisingly, on October of 2017, Yahoo reassessed the effect of the breach in 2013 and discovered that the number of the affected account is not one but “three billion” , reported Wall Street Journal (McMillan & Knutson, 2017).

As of November 2017, Yahoo had not been able to fully comprehend how its 3 billion customer data get stolen (Hatmaker, 2017). During the testimony before the senate, its CEO reported that she and her team did not know how the hack was carried out (Vega, 2017).

However, as mentioned earlier that FBI found that the hack happened by phishing email to the staffs (Williams, 2017).

 In an interview with WIRED magazine, the hacker revealed that he and his team are of Russian heritage and claimed to have obtain large collection of “one billion” unpublished hacked data dumps from large companies (GREENBERG, 2016).

b.      Yahoo & Public Response

Yahoo informed to all users who were among the 3 billion and still reaffirm it is working close with the law enforcement to resolve the issue.

Figure 14 shows Yahoo effort in trying to show their effort to ensure the safety of the user data. However, Yahoo landed itself in series of lawsuits that in April of 2018 had to pay 35 million to SEC for “misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts” (SEC, 2018).

CEO Marissa Mayer, testified in front of the U.S senate on November 8 th 2017, claiming that she and Yahoo had no knowledge of the hack and how it was carried out, but the hack was operated by Russian “state-sponsored” hackers (Vega, 2017).

According to The New York Times, Yahoo’s top lawyer resigned at a similar time frame with the CEO who lost her own stock bonus valued around 12 million dollars (Goel, 2017).

On October 2018, Yahoo settled a two years old lawsuit by give 50 million in total to those who were affected by the breach (NBCNEWS Associated Press, 2018).

V. Lessons learned from Yahoo & Conclusion

What happened :  There a number of contributing failures leading to the downfall of Yahoo that may include:

• Management failure: Yahoo had trouble in its executive team and the board members did not act upon the issues and gave the CEO too much power (Mattone, 2017)
• Yahoo knew about the hack all along but did not take action until they were forced to which was too late (Lee, 2016)
• Yahoo hid the truth from the public
• Did not respect the security aspect of the product. In fact, the security team at Yahoo was referred internally as the “Paranoid team” (Franceschi-Bicchierai, 2015)
• Poor security means no proper security testing
• Used old technology, MD5 which was released back in 1992 and was easily crack (GOODIN, 2016).
• Did not learn from its mistake it made with Yahoo Voices which was mentioned in earlier section

Lessons learned : There are areas of lessons from Yahoo data breach that includes:

• Customer data is extremely important and should be treated with extreme measure. According to the OAIC, Office of the Australian Information Commissioner, in figure below the majority of all cyber incidents involves the ‘compromise of credentials’ (OAIC, 2018).

• Perform penetration testing on a timely fashion: pen test looks for vulnerability in the essence for security improvement before the hacker does. Yahoo failed to do so and resulted in its both technical and policy doom.
• “Bug Bounty Program” implementation: when the security reaches its maturity, the company should reward those who are able to find loophole. “Bug bounty hunter” are those who participate in the effort in the hope of getting the price. A majority of large companies have done this competition such as Facebook which sets up a program called “Facebook White Hat” (FACEBOOK, 2018)
• Use the best possible security technology: there always be a limit to any security apparatus but it is possible to deter, delay and disrupt hacker.
• Board member and executive team must be proactive rather than reactive: action must be taken on any threat immediately and “plan for the worst” should also in place.
• Integrate security aspect in all product development and enterprise security that may include security framework such as SABSA.

Figure above sourced from Visual Capitalist, illustrates the rise and fall of Yahoo from a massive 125 to a 4.48 billion company. The lack of management in both business and technical aspect leads to its downfall. In the end, Verizon Media bought Yahoo for 3.5% of its original value (Shaban, 2017)

            In conclusion, it is important that companies must be proactive in both management and technical aspect to protect its business core values. Also, they both must synchronize themselves with the rapidly changing world, otherwise the world will change them as it did for Yahoo.

Share this:

Published by mannyse.

cybersecurity, network security, psychology, philosophy View more posts

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Yahoo has had a years-long history of both data breaches and cases where hackers break into systems but do not take anything.

The collective hacks have led to a settlement in which affected parties can participate. Here is what this article will help you know:

What happened?

How did yahoo respond, what should cisos learn from this breach.

• What should you know about the settlement?
• Breaches are increasingly prevalent threats.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

According to the website for the Yahoo data breach settlement , the company’s cyber security issues contained in this matter extended from 2012 to 2016. But, the information gets more specific and says data breaches involving stolen information occurred from 2013 and 2016, while so-called data security intrusions (where an infiltration happened without those responsible taking data) happened from at least January-April 2012.

Then, cybercriminals did not take the same kind of data in every case or behave the same way. For example, in 2012, two separate hackers broke into Yahoo's online infrastructure without taking anything.

The next year, cybercriminals behaved maliciously when they took records from all of Yahoo's accounts, which totaled about 3 billion . In that instance, the information seized by the hackers could have allowed them to access things like users' email accounts and calendars.

In 2014, hackers directly targeted Yahoo's user database, affecting about 500 million people. The cybercriminals reportedly got account details such as people's names, email addresses, passwords, phone numbers and birthdays.

Become a Cyber Security Hub member and gain exclusive access to our upcoming digital events, industry reports and expert webinars

The aftermath of that event continued for years later, sparking increased public awareness both about these breaches and the respective cyber security laws and regulations. It was not until 2018 that news broke about Yahoo's shell company receiving a $35 mn fine for failing to disclose the 2014 incident.

The final cyber security matter addressed by the settlement happened from 2015 to September 2016. In that instance, hackers used cookies to break into the accounts of about 32 million individuals.

Unfortunately, Yahoo failed to issue the kind of sweeping statement you might expect to give the public reassurance that the company has recommitted itself to cyber security in meaningful ways. Instead, the brand has a section on its website devoted to security notices . There, you can find the data breach notices that Yahoo sent to its users in September 2016, December 2016 and October 2017.

Here is a breakdown of what Yahoo pledged to do to stop future incidents in each case:

• Invalidated unencrypted security questions and answers
• Continually enhancing the systems that detect and prevent unauthorized access
• Required all affected and unaffected users to change their passwords

Yahoo's statements mentioned the company was working with law enforcement officials, but the documents did not give concrete details about the status of the investigations. The company did briefly reveal that a state-sponsored party may have been behind the 2014 issue.

Verizon Communications Inc., of which Yahoo is now a part, also promised to spend $306 mn between 2019 and 2022 to improve Yahoo's cyber security, which is five times more than what Yahoo itself spent between 2013 and 2016. Verizon also indicated it would quadruple Yahoo's IT staff.

See Related: Telling the cautionary tales of cyber crime

The Yahoo data breach was, in part, as bad as it was because of poor security practices. Hackers gained access to Yahoo’s network through the use of a phishing scheme. All it took was one employee with network access clicking on a malicious link for a hacker to get through. Once in, the hackers were able to guarantee their continued access to the network. Also, some confidential data — including security questions and answers — was stored unencrypted by Yahoo.

CISOs should prepare for attacks that use social engineering just as much as brute-force attacks. This will require CISOs to provide some level of cyber security education to non-cyber security and non-tech savvy staff. CISOs should also ensure that basic security measures — like the encryption of identifying information — are in place.

What should you Know about the settlement?

In April 2019, Yahoo agreed to a $117.5 mn settlement associated with the above incidents, which affected about three billion people. According to an article from Reuters, it covers approximately 896 million accounts belonging to as many as 194 million people in the US and Israel.

Breaches are increasingly prevalent threats

The frequent news of breaches is enough to make people think that they are at risk by using the internet in any way. Although it took a while for sufficient corrective action to happen in Yahoo's case, that is hopefully changing now.

See Related: Top 5 cyber security breaches of 2019 

FIND CONTENT BY TYPE

• Case Studies
• White Papers

Cyber Security Hub COMMUNITY

• Advertise with us
• Cookie Policy
• User Agreement
• Become a Contributor
• All Access from CS Hub
• Become a Member Today
• Media Partners

ADVERTISE WITH US

Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Cyber Security Hub, a division of IQPC

Careers With IQPC | Contact Us | About Us | Cookie Policy

Become a Member today!

PLEASE ENTER YOUR EMAIL TO JOIN FOR FREE

Already an IQPC Community Member? Sign in Here or Forgot Password Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.

We respect your privacy, by clicking 'Subscribe' you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here . You can unsubscribe at any time.