Inside the Russian hack of Yahoo: How they did it

A single click was all it took to launch one of the biggest data breaches ever

Senior U.S. Correspondent, IDG News Service |

World Tech Update
Inside the Russian hack of Yahoo: How they did it   (2:39)
More for you to like:
R2-D2 airplane cleared for takeoff R2-D2 airplane cleared for takeoff (1:35)
Apple iPad Pro, drone bill vetoed, NASA 4K channel - The Wrap Apple iPad Pro, drone bill vetoed,... (2:56)
Xerox PARC's self-destructing chip explodes on demand Xerox PARC's self-destructing chip... (0:43)
DARPA presents its networked radiation detector DARPA presents its networked... (4:48)
Defense Secretary wants to work with tech start-ups Defense Secretary wants to work... (2:01)
Apple iPhone 3D Touch adds pressure sensitivity Apple iPhone 3D Touch adds... (1:45)
The U.S. Federal Bureau of Investigation has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday, the FBI indicted four people for the attack, two of whom are...
Inside the Russian hack of Yahoo: How they did it (2:39)
Related

One mistaken click. That's all it took for hackers aligned with the Russian state security service to gain access to Yahoo's network and potentially the email messages and private information of as many as 500 million people.

The U.S. Federal Bureau of Investigation has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday, the FBI indicted four people for the attack, two of whom are Russian spies.

Here's how the FBI says they did it:

The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It's unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.

Once Aleksey Belan, a Latvian hacker hired by the Russian agents, started poking around the network, he looked for two prizes: Yahoo's user database and the Account Management Tool, which is used to edit the database. He soon found them.

So he wouldn't lose access, he installed a backdoor on a Yahoo server that would allow him access, and in December he stole a backup copy of Yahoo's user database and transferred it to his own computer.

The database contained names, phone numbers, password challenge questions and answers and, crucially, password recovery emails and a cryptographic value unique to each account.

It's those last two items that enabled Belan and fellow commercial hacker Karim Baratov to target and access the accounts of certain users requested by the Russian agents, Dmitry Dokuchaev and Igor Sushchin.

170315 fbi 2 Martyn Williams

A U.S. District Court endictment for four people accused of hacking Yahoo is seen against FBI wanted posters.

The account management tool didn't allow for simple text searches of user names, so instead the hackers turned to recovery email addresses. Sometimes they were able to identify targets based on their recovery email address, and sometimes the email domain tipped them off that the account holder worked at a company or organization of interest.

Once the accounts had been identified, the hackers were able to use stolen cryptographic values called "nonces" to generate access cookies through a script that had been installed on a Yahoo server. Those cookies, which were generated many times throughout 2015 and 2016, gave the hackers free access to a user email account without the need for a password.

Throughout the process, Belan and his colleague were clinical in their approach. Of the roughly 500 million accounts they potentially had access to, they only generated cookies for about 6,500 accounts.

The hacked users included an assistant to the deputy chairman of Russia, an officer in Russia's Ministry of Internal Affairs and a trainer working in Russia's Ministry of Sports. Others belonged to Russian journalists, officials of states bordering Russia, U.S. government workers, an employee of a Swiss Bitcoin wallet company and a U.S. airline worker.

So clinical was the attack that when Yahoo first approached the FBI in 2014, it went with worries that 26 accounts had been targeted by hackers. It wasn't until late August 2016 that the full scale of the breach began to become apparent and the FBI investigation significantly stepped up.

In December 2016, Yahoo went public with details of the breach and advised hundreds of millions of users to change their passwords.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Martyn Williams covers general technology news for the IDG News Service and is based in San Francisco. He was previously based in Tokyo.

Must read: 10 new UI features coming to Windows 10
You Might Like
Don't Miss
pi day
28 facts about pi that you probably didn't know

That's right, March 14 is international Pi Day. Get it -- pi is 3.14, and March 14 is 3/14?

ipad pro macbook
New iPads and iPhone SE may hit stores next week

A new rumor claims Apple may release a slew of new products next week.

best buy geek squad car
Why you shouldn't trust Geek Squad ever again

The U.S. government reportedly pays Geek Squad technicians to dig through your PC for files to give to...

Resources
Top Stories
plastic surgery
Nuclear physics, plastic surgery & more: 802.11ac wave 2 users sound off

The second wave of 802.11ac Wi-Fi technology, primarily distinguished by new MIMO capabilities, bigger...

binary code vortex
Serverless computing: Freedom for devs at last

Strip away your infrastructure headaches with our clear-eyed guide to serverless and the public cloud...

3 bitcoin
Would killing Bitcoin end ransomware?

Bitcoin and ransomware seem to go hand-in-hand, but experts explain that doing away with the...

apple augmented reality2
The 3 biggest challenges facing augmented reality

Augmented reality has evolved over the past year, but it still has several challenges to overcome...