More details about the activities that led to one of the biggest data breaches in history are coming to light now that the Department of Justice has indicted four suspects for the 2014 Yahoo hack that affected more than 500 million accounts. An early report revealed how Russian spy operatives and hackers were able to access user accounts without actually stealing passwords. The attackers were able to get their hands on two critical Yahoo resources that they used to trick Yahoo servers into thinking that they were the genuine account owners.
A second report now reveals that in order to actually breach the accounts they were targeting, the hackers first needed to hack just one single Yahoo employee.
FBI special agent Malcom Palmore told ArsTechnica in an interview that the hack likely started with an attack on a “semi-privileged” Yahoo employee rather than a top executive. Social engineering or spear fishing “was the likely avenue of infiltration” for hackers to gain the credentials they needed to infiltrate Yahoo’s server.
The direct result of this attack was access to Yahoo’s internal networks. That’s where one of the hackers conducted reconnaissance work and discovered the key assets the attackers needed to be able to break into specific user accounts. The hackers obtained a large database that helped them create forged cookies, which were enough to access a Yahoo Mail account without the owner’s knowledge and without any login credentials.
Yahoo disclosed the 2014 security breach that affected more than 500 million accounts only a few months ago. Since then, it confirmed that the company suffered two similar data breaches that affected more than one billion users in total.
The FBI agent did not say whether the government or Yahoo discovered the 2014 breach, and he did not reveal more details about the initial attack on the unnamed Yahoo employee. Furthermore, Palmore did not say how long the intrusion lasted.
FBI special agent John Bennett said during a news conference in San Francisco that Yahoo was a great partner during the investigation, and that the company was under no obligation to tell customers about the breach. Yahoo apparently withheld the disclosure for nearly two years, he said.