When it comes to Yahoo’s massive security breach, the company was right about one thing.
Yahoo! Inc. has been saying since September that a state-sponsored actor was behind a hack in 2014 that compromised about 500 million of its user accounts, even as some security experts cast doubt on that claim. Yahoo gained a measure of vindication Wednesday when the U.S. government laid out charges against four individuals allegedly acting at the behest of the Russian government when they broke into Yahoo’s computer systems.
“The indictment unequivocally shows the attacks on Yahoo were state-sponsored,” the company said. “We are deeply grateful to the FBI for investigating these crimes and the DOJ for bringing charges against those responsible.”
Yahoo is not alone in meeting skepticism for asserting a hacking attack was the work of a foreign government. Companies sometimes make that claim, in some cases to help collect on cyber-insurance payouts or for a waiver from the U.S. government allowing them to keep the incursion secret while it’s investigated on national security grounds.
In Yahoo’s case, there was also a merger on the line. The company had in July agreed to sell its Internet properties to Verizon Communications Inc., and any evidence that the company had been lax in keeping user data secure might give its new owner cause to revisit terms of the deal. A state-backed attack led by elite hackers, on the other hand, can be more difficult to repel — or so a company can argue.
“You’re pitting U.S. corporations against state-sponsored activity,” said Jim Pastore, a member of Debevoise & Plimpton’s Cybersecurity & Data Privacy practice and Intellectual Property Litigation Group. “And no matter how good you are as a company, that is an unfair battle.”
Even as the indictments show a sophisticated and comprehensive attack, they also reveal new details about the lapses that left Yahoo vulnerable to criticism that it failed to adequately shore up accounts — and ultimately prompted Verizon to renegotiate terms of its planned acquisition.
The document outlined for the first time how deeply Yahoo’s internal systems were compromised by the attackers. Most crucially, the hackers were able to access Yahoo’s computers for managing user information, which included the cryptographic values assigned to each user and needed to generate the files known as cookies. These pieces of data can be used to identify a particular user and associate that person’s account to Yahoo’s servers as well as sites visited across the web. The attackers were able to create their own cookies, thus allowing them to bypass Yahoo’s login security protocols for any targeted accounts.
“They come off looking relatively lax on security,” said Stephen Beck, founder of management consultancy cg42.
Yahoo had already admitted to missteps, allowing the hackers to access its user database and clone the cookies that let them easily enter and rifle through as many as 32 million accounts without even needing the passwords. And in December, the company announced an earlier and bigger breach, involving 1 billion user accounts, which was discovered by Andrew Komarov, chief intelligence officer for InfoArmor, a security company, who had been tracking the spammers who orchestrated that incursion.
Yahoo General Counsel Ronald Bell resigned earlier this month after an investigation found his legal team didn’t adequately investigate leads about Yahoo’s security issues, and Chief Executive Officer Marissa Mayer wasn’t given a cash bonus.
An investigation by Yahoo’s board found that senior executives knew about the hacking in 2014 but that it “was not properly investigated and analyzed,” the company said in a filing this month. Yahoo notified just 26 people whose accounts were infiltrated.
The board found that “failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling” of the breach, according to the filing.
The Justice Department’s revelations Wednesday served to reinforce those findings.