The Department of Justice on Wednesday identified four people, including two Russian spies and two criminal hackers, as the main suspects behind one of the biggest data breaches in the world. Yahoo was hacked in 2014 but the company only disclosed it two years later, when it confirmed that more than 500 million accounts were breached. A report explains how hackers were able to breach into your Yahoo Mail account, revealing that they did not get access to all 500 million accounts at the same time, and that Yahoo could have prevented the damage had it taken faster actions against the intruders.
An Associated Press report offers more insight into the hackers’ methodical approach to cracking Yahoo accounts.
US officials revealed that Russian spies were primarily interested in gaining access to accounts belonging to Russian and US government officials, Russian journalists employees of financial business and other companies. The criminal hackers that helped them sought to make money of this endeavor by targeting unsuspecting Yahoo users who were of no interest to intelligence agencies. Hacked accounts would be mined for financial data details or to conduct spamming campaigns.
The hackers first breached Yahoo’s network in early 2014 by unknown means. By working through Yahoo’s network, they were able to steal two valuable resources by the end of the year, including a backup copy of Yahoo’s user database that contained information which could be used to reset passwords, and an internal tool Yahoo uses to access and edit information in said database.
The hackers did not obtain some sort of universal key to get into any Yahoo Mail account. In fact, they didn’t even need passwords to hack accounts, as the database they stole contained encrypted user passwords.
However, they used those passwords in combination with malware to create fake cookies which would fool Yahoo’s servers into thinking that the account owners would sign in rather than an attacker. Yahoo late last year disclosed a third attack that compromised some 32 million accounts using the same cookie technique. It’s unclear if these breaches are related.
As long as users didn’t change their passwords after November 2014, the method would let hackers dig into the information in those accounts at will. Hackers used the technique to target more than 6,500 user accounts.
The database the hackers stole contained personal data including phone numbers, answers to security questions and recovery email addresses. The hackers targeted certain individuals by looking for certain recovery email addresses that matched they needs. The hackers may have used the information to target other online properties belonging to the same user, such as Gmail and other services. They could also send fraudulent emails to the users to fool them into revealing passwords for other accounts, or install malware on their computers.
When it comes to “monetizing” their efforts, hackers employed various tactics. They apparently searched for credit card and gift card information inside emails. They used the breached email accounts to conduct highly specific spamming campaigns. The hackers would send emails on behalf of the unsuspecting users to their friends and colleagues, who would be more likely to open an email from a person they know. Finally, hackers also manipulated servers so that they would get commissions each time a user would search for a certain product and buy it online, such as erectile dysfunction medications.
Yahoo last year confirmed that an attack dating back to 2013 affected more than one billion accounts, but it’s not clear if it’s linked with the Russia-sponsored 2014 attack.