After a failed attempt to encrypt its internal networks and secure web connections to its servers, Yahoo announced that it had been hacked once again, compromising the data of more than 1 billion accounts.

The breach occurred in August 2013, and it differs from the 2014 breach that was revealed by the company in September. Bob Lord, Yahoo’s chief information security officer, revealed that hackers used Yahoo’s code to forge web cookies to access the accounts without needing their passwords.

Yahoo-Kathy-Savitt
Yahoo’s email news came up the same week that the company announced that it is spinning off its main Internet business.
Image: Bigstockphoto

It is not the first time.

After the announcement, Yahoo came under scrutiny by federal authorities, which allowed Verizon to seek a better deal on their intentions to buy the internet pioneer. At first, Verizon had accorded in July to buy Yahoo for $4.8 billion, but after two major hacks, the price will surely drop to reflect the damages that its new owner will have to mitigate after the purchase.

If Yahoo fails to provide a decent discount, Verizon has already shown intentions of going to court to settle the negotiation.

The hackers behind the recently-revealed breach have not been fully identified. They were able to obtain phone numbers, dates of birth, passwords, security questions, and emails. Yahoo assures that the hackers could not steal banking and payment data due to those entries being stored in a separate secure system, but just with the compromised information hackers can access the user’s accounts on other services.

“I think that the biggest frustration looking at this from the outside with the knowledge we have is simply ‘how the heck did they miss it?’ at the forensic level or the exfiltration layer. The fact that this quantity of data and this length of hack has continued to go unnoticed and appears to be a separate hit against Yahoo!, smacks of absolute unawareness at some level within the organization for the very basics in security,” stated to The Street Chris Roberts, chief security architect at California-based Acalvio.

Supposedly, Yahoo already informed its users about the accounts that were exploited using the forged cookies. The company also assured that they had “hardened” their servers against future attacks of the same kind. Affected users are being prompted to change their passwords and the hacked information has been invalidated so the accounts cannot be accessed by unauthorized third parties.

How is the U.S. government involved?

The 2013 breach had gone unnoticed until law enforcement officials confronted the company after a security investigator noticed compromised data being trafficked in underground marketplaces. It was then revealed that over 150,000 U.S. government and military personnel were affected by the data breach, where any external source could make use of the hacked information, facilitating surveillance and cyber espionage.

The accounts belong to White House staff employees, congressmen, FBI and CIA agents, and all of the branches of the military, including diplomats that are working abroad in Syria and Pakistan.

A particular case would be Alexandra Chalupa, a consultant for the Democratic National Committee. She was met with cookies suggesting that her account had been compromised by state-sponsored actors.

Cybersecurity has become a critical issue, seeing that it has influenced the presidential election and many government affairs, where a single hacked email account can provide enough material to destroy a politician’s career. One example is John Podesta’s Gmail account, which was hacked by Russian actors in an effort to influence the U.S. election and to let controversy about Hillary Clinton take its toll on her candidacy.

According to Andrew Komarov, the cybersecurity investigator who found the breached data in the underground market, the 1 billion breached Yahoo accounts would be sold for $300,000. Komarov spotted three different sale efforts, where they provided a list of login credentials that corresponded to U.S. government officials to ensure the legitimacy of the hack.

Yahoo announced being hacked two months after the data was found by Komarov, revealing that 500 million accounts were hacked. But the information revealed by Yahoo did not correspond to what he saw in the markets, which showed minimal encryption and featured the user’s backup e-mail addresses, which the 500 million account hack did not have. The conclusion was that Yahoo had been hacked a second time, which led Komarov to report the incident to U.S. officials. Yahoo started investigating the issue in October and it was just this week that the company confirmed the events.

Komarov revealed that the people selling the database tend to sell the information to spammers, which suggests that the crime was not committed by a state-run entity. He also suggests that the same group has hacked records of other companies such as Dropbox and MySpace.

“Personal information and contacts, e-mail messages, objects of interest, calendars and travel plans are key elements for intelligence-gathering in the right hands. The difference of Yahoo hack between any other hack is in that it may really destroy your privacy, and potentially have already destroyed it several years ago without your knowledge,” stated Komarov.

Source: Bloomberg