Yahoo! and the Data Breach which affected its 3 billion users

Who doesn’t know Yahoo!, an American company since 1994, which was acquired in 2017 by Verizon and then in 2021 by Apollo Global Management.

Yahoo was the most visited site in 2004, however Google dethroned it and Yahoo slowly but surely declined during the 2010s.

The fact remains that Yahoo has always been, to this day, one of the most famous sites in the world with at its peak more than 3 billion users and still counting 1 billion to this day.

2016, the fatal year

The Data Breach History of Yahoo! started in 2016, well not really, but it became public in 2016, more precisely in the second half of that year. An anonymized person, going by the name “Peace_of_Mind”, interviewed two major US newspapers, Vice and Wired, and said he was selling privately through “TheRealDeal”, a Dark Net platform, passwords of approximately 200 million Yahoo! users, who do not really know how this data was obtained.

Yahoo! said they knew their data was being resold, they were just notifying users without resetting their passwords.

On September 22, 2016, Yahoo announces to the public a theft of its users’ data following an intrusion made at the end of 2014, more than 500 million accounts were affected by this violation.

On December 14, 2016, Yahoo repost a statement reporting this time that an intrusion, which took place in August 2013, allowed hackers to extract more than a billion user accounts including security questions / answers not encrypted. Yahoo forced all of its users to reset their passwords and questions/answers.

10 months later, in October 2017, Yahoo re-evaluates the hack and declares that all of its users, over 3 billions, have been affected.

The intrusion at the end of 2014

The late 2014 intrusion, which was disclosed by Yahoo in September 2016, affected as many as 500 million user accounts, including:

• Names
• Emails
• Telephone numbers
• Birth dates
• Passwords hashed using the bcrypt algorithm
• Questions / Answers encrypted or not

Thanks to the unencrypted Q&As, hackers can reset a password and take possession of the person’s account, and so obtain more personal informations. All the informations retrieved are then resold on the Dark Net.

Flickr, Sky and BT accounts were also affected, the belong to Yahoo.

According to Yahoo, the hackers come from other countries, Russia or China. The FBI, with support and backing from Yahoo, investigated this incident.

In a report given to the U.S. Securities and Exchanges Commission (SEC) in November 2016, Yahoo declares to be aware of this intrusion since 2014 but have never assessed the extent of the incident, it is only from July 2016 that the company actually investigated the case.

Yahoo submitted a previous report to this one on September 9, 2016 telling the SEC that no “security breach” or “loss, theft, unauthorized access or acquisition” of data was found.

On March 15, 2017, the FBI officially charged 4 men:

1. FBI Top 10 Fugitive Hacker Alexsey Belan
2. Karim Baratov, a Canadian hacker who was arrested and extradited to the United States
3. Two agents of the Federal Security Service of the Russian Federation (FSB): Dmitry Dokuchaev and Igor Sushchin. These two agents are accused of having paid the hackers to carry out the intrusion to obtain confidential informations

The intrusion method is similar to the August 2013 intrusion.

The August 2013 intrusion

Let’s come to the biggest intrusion, that of August 2013, intrusion, I remind you, reported in December 2016 by Yahoo.

According to the Californian company, the two intrusions are not related, however the stolen datas are similar but this time concern more than 1 billion users at the end of 2016.

Yahoo announces that the hacker is an “unauthorized third party” and that he used cookie forgery, allowing hackers to identify themselves as any user without a password.

This time, Yahoo forced all users to change passwords and Q&As.

In October 2017, Yahoo went back on these figures and declared that all of its users, more than 3 billions, were affected by this intrusion.

Andrew Komarov, director of intelligence at cybersecurity firm InfoArmor, had helped Yahoo! and law enforcement to track down the source of the leaks. Digging through the Dark Web, Komarov finds a vendor with a list of over a billion users, including more than 150,000 names of people working for the United States government and military, and associated accounts to the European Union, Canada, and the British and Australian governments.

Legal & financial repercussions

In July 2016, before the declarations of intrusion and data leak, Verizon Communications had planned to buy part of Yahoo for 4.83 billion dollars. As a result of these breaches, the buyout agreements were nearly voided, however the buyout price was lowered to $4.48 billion. The other part of Yahoo was picked up by the company Altaba.

At the reputational level, many revelations followed the declarations of data leak. Thus, Yahoo has been heavily criticized for its blatant lack of cybersecurity. In 2013, Edward Snowden identified Yahoo as a company completely lacking in security and lagging behind in security protocols, making it a prime target for hackers. A year later, Yahoo hires a cybersecurity expert named Alex Stamos, but CEO Marissa Mayer has denied him the funds needed to improve the company’s IT security. He left the company in 2015. It was revealed that Mayer and other Yahoo executives were aware of the intrusions but were unwilling to communicate them to the public or to personnel working in the company. Mayer left his post as CEO in 2017.

Several lawsuits have been filed, 23 to be precise, 5 of these cases have been grouped into one class action. In March 2018, Verizon searched to dismiss part of the case, but Judge Lucy H. Koh denied the dismissal. Before the lawsuit began, Altaba and Verizon agreed to share a $50 millions cost with the 200 million class action users. Those whose personal informatione were spoofed could get $375 and those whose accounts were just affected without proven spoofing could get $125. The judge rejected the offer, forcing Yahoo to pay $117.5 million in April 2019.

The governments also criticized the lack of security of the Californian company, but also the lack of transparency by announcing the intrusions to the public two years later. Thus American senators, judging the delays in disclosure “unacceptable” sent a letter to the CEO of Yahoo to explain the events, but also asked the SEC to investigate, which they did. In October 2018, the SEC reached a settlement with Altaba for $35 million for not timely disclosing the 2014 breach.

European regulators have expressed their reservations about privacy and data security at Yahoo. Indeed, in addition to intrusions and data leak, Yahoo had entered into a contract with the US government to scan all incoming emails and disclose information to US intelligence services. The Irish Data Protection Commissioner has launched inquiries into the privacy breaches. On the side of the Federal Office for Information Security in Germany, the latter declared that “security is not a foreign concept” and asked members of the German government as well as the people not to use Yahoo and use more secure email and web search solutions.

In 2013, Yahoo has suffered the biggest breach in history with over 3 billion users affected. This story got even bigger knowing that Yahoo didn’t reveal this story until late 2016, three years later, forcing users to change passwords and recovery methods.

However, the sequence of two intrusions revealed 3 months apart, plus the fact that their computer security was clearly not a priority, Yahoo lost many users, as well as their trust.

Today the brand has only a third of its users compared to 2016, and is clearly no longer the giant it once was.

Their lack of security added to the lack of responsiveness has become a real textbook case, showing the need today to have a solution to scan the flaws and vulnerabilities of a site but also a data leak detection tool.