Yahoo suffered a massive data breach impacting 3 billion user accounts, and this breach provides several critical lessons for the organization to protect their critical assets. Let’s look at in detail how it happened and what we can learn from it.

Company Background:

Yahoo derives most of its revenues from advertising through search, display, and native advertising, including mobile advertising. It provides targeted advertisements to users based on their personal information. Yahoo collects and stores data on its users, such as users’ names, email addresses, telephone numbers, birth dates, passwords, and security questions. Given the scale of its reach and the size of user data stored, it was missed Signals in 3 Billion User Accounts Thefta target of periodic cyber attacks, beginning in 2008.

How the breach happened:

In November 2014, the cyber attackers used stolen Yahoo employee credentials to log into hosts where user databases (UDB) were stored. Attackers found their way to physical files where weekly UDB backups were stored. The attackers moved the UDB backup files to a compromised server in the network and then copied portions of the backup files and transmitted them out via FTP connection to a host server in Russia. The attackers then deleted the UDB backup file from the compromised server to hide the trail and avoid detection. The cyber attackers stole more than 500 million users’ account information. Access to the Account Management data, allowed the attackers to access information about critical user accounts. The attackers also used a malicious script placed on Yahoo’s network to mint cookies in bulk (up to at least tens of thousands of cookies at a time) to access more than 30 million users’ accounts. The attackers also took steps to avoid detection by installing a program into Yahoo’s network known as a log cleaner to delete network activity logs.They stole names, email, birth dates, phone numbers, hashed passwords, security questions, and the backup email addresses and reset the passwords.

The Impact on YAHOO

• YAHOO was the subject of Multiple federal and state class-action lawsuits filed against them.
• Multiple regulatory investigations commenced in the U.S. and other countries.
• On April 24, 2018, the SEC fined Yahoo $35 million to settle charges that it failed to disclose the data breaches and was misleading the investors.Those class-action lawsuits eventually resulted in multi-million dollar settlements.
• Verizon ended up paying $350 million less than what it originally agreed to buy YAHOO.
• YAHOO had to agree to assume 50 percent of any liabilities from third-party litigation or any non-U.S. Securities and Exchange Commission (SEC) government investigations and pay 100 percent of any liabilities from shareholder lawsuits and SEC investigations.

Lessons learned:

• Cybersecurity must be a priority for every organization, starting at the highest level (board and senior management). Otherwise, it will be costly both financially and reputationally and may even be catastrophic.
• Early detection is vital. Cyber attackers will break-in, so the focus must be on early detection. Consider the attacker’s activities and the signals that Yahoo did not detect in the Cyber Attack Chain.
• Create a solid Incident Response Plan. Yahoo was slow and did not take the immediate risk- mitigation action, and the attackers continued to attack and were repeatedly successful at stealing data. Continuously educate employees and users on security best practices, and have a response plan in place in case of a breach, clearly stating who will handle the communications and identify appropriate personnel assigned clear roles on who will do what during the investigation and remediation phase.
• Missed Signals. Yahoo missed many Cyber Attacks Signals that could have detected the cyber attackers early. Yahoo could have probably stopped the hack in time before the massive theft of data of 3 billion user accounts.
• Avoid the surprise elements and uncertainty by adopting a proactive approach to cybersecurity that can put you on the front foot against attackers and keep you ahead of regulatory requirements. Beyond the encryption and complex authentication methods need to adopt multiple security layers throughout the enterprise network. Companies must make vigorous use of pen testing to find and fix weaknesses proactively before any event happens.

Partnering with a vendor specializing in proactive cybersecurity practices can help you better equip to handle situations such as the YAHOO incident. For example, vulnerability assessments, penetration testing, threat hunting, and aggressive incident response are all services that can help your organization to protect against sophisticated cyberattacks and better equipped to handle in case of any unforeseen incidents happen. Contact AccessQuint if any of these services interest you.