Cybersecurity Scary Stories: Hacking Yahoo

Cybersecurity | October 4, 2021

What happens when a bump in the night turns into billions of exposed accounts? Let the hacking of Yahoo be a warning to us all. 

An online stalwart. A digital kingpin. A search giant. Pioneering the early internet, what started as a simple database in 1994 quickly expanded to become the library of web services we now know as Yahoo. Offering search capabilities, mail, news, and even an ad platform, there was a time when it would seem Yahoo was too big to fail. 

Was, being the operative word. Like many companies before it (and surely many more to come) Yahoo neglected to heed the warnings of cybersecurity experts, leaving the company and all its user data defenseless from attack.  

And attack they did. Twice.  

According to Yahoo themselves, the first major hit on Yahoo servers took place in mid-2013. Evidence of the exceptionally large data breach was uncovered in 2016 while parsing through data of an entirely different, yet smaller, cyberattack (more on that later). Within this data, agents found a 2015 listing on the dark web offering information on nearly 1 billion Yahoo user accounts to the tune of $300,000.

The specific account information exposed included unencrypted security questions and answers as well as encrypted names, email addresses, and passwords. Many experts agree that the type of encryption used was out of date and easily hackable. So, because folks so regularly reuse account information, this breach immediately put all of the victims’ other accounts at risk as well.

Once discovered, Yahoo reported the breach and notified all affected users. But the damage was not yet done. Upon further investigation in 2017, Yahoo officials revealed that their original estimate of 1 billion accounts compromised was far too low.  

The real number? Over 3 billion –which amounts to nearly every single account Yahoo had at the time. To this day, the 2013 Yahoo hack is the largest known data breach in history, the exact source of which still hasn’t been found.  

To add insult to injury, as news of the breach above was unfolding, Yahoo was still recovering from revelations of a smaller attack from 2014 as well. Believed to be a state-sponsored attack, this hack leveraged poor cookie management to enter users’ accounts, bypassing password protection. By the time it was officially discovered in 2016, over 500 million accounts were exposed. Eventually, the United States government would try Russian agents and affiliated “hackers for hire” with crimes for the attack.  

Just wait, it gets even worse.  

In March of 2017, an internal investigation by Yahoo found that the company’s security team, execs, and some legal staff actually knew of the attack in 2014, before it was officially reported two years later. According to a regulatory filing with the SEC, senior members of Yahoo’s team did not act sufficiently with their knowledge. Following this bombshell, Yahoo’s top lawyer resigned without severance and CFO Marissa Mayer lost her 2016 bonus, later resigning when Verizon bought Yahoo at an understandably discounted price.  

A truly chilling saga, isn’t it? 

While Yahoo is, of course, still up-and-running today, it has nowhere near the market share it once enjoyed. With the specter of multiple, history-making data breaches hanging overhead much of the company’s reputation – and once-valued customers – have been lost to other web service providers.  

Which begs the question: if an enterprise as large as Yahoo could suffer such devastating effects at the hands of cybercriminals, what’s stopping them from heading after you? And if the hack of 3 billion accounts could go unnoticed for nearly three years, who’s to say they haven’t already?  

It’s a terrifying thought, but you don’t have to take it alone. Protecting your sensitive information is more important today than ever before; EMPIST is here to help. Learn more about our cybersecurity services by contacting team EMPIST online today.  

(Additional Sources: CNN Business, New York Times, NPR, Tech Crunch, Yahoo)