PP2: Cybersecurity

The Yahoo Data Breaches: Cybersecurity Failures and Fixes

Image from Yahoo. 

In this digital age, data has become one of the most valuable assets. In turn, cybersecurity breaches have become a major threat to governments, corporations, and individuals. Some of the biggest cybersecurity failures in history are the Yahoo data breaches of 2013 and 2014, which compromised billions of users. These breaches were kept under wraps until 2016, when Yahoo disclosed that their systems failed because of shortcomings involving encryption and authentication factors. The Yahoo data breaches exposed major weaknesses in corporate cybersecurity, leading to a tarnished reputation and financial losses for the company while also promoting stronger security and regulations when it comes to cyber attacks. 

Yahoo's cybersecurity crisis unfolded in two major attacks. The first one, which happened in 2013, was one of the largest data breaches in cybersecurity history and impacted all 3 billion user accounts on the platform (Cybercrime Magazine). Even years later, the company hasn't been able to figure out who the perpetrator of the first attack was. Account information such as users' names, email addresses, phone numbers, birth dates, hashed passwords, and security questions/answers were stolen in the breach (NPR).

A video from CNN Business explains the breaches. 

The breach that happened in 2014 was on a smaller scale that the one the year prior, with only 500 million users being impacted. Much more is known about this attack and how it happened. According to CSO, the hack all started with a spear-phishing email that was sent to and opened by Yahoo employees. This gave Russian hacker Alexsey Belan access to Yahoo's user database and the Account Management Tool, and he was eventually able to steal a backup copy of the database. 

Information in this database included names, phone numbers, security questions/answers, password recovery email addresses, and a cryptographic value that was unique to each account. This gave Belan and his associate hacker Karim Baratov access to specified user accounts that were requested by Russian agents Dmitry Dokuchaev and Igor Sushchin (DOJ).  With these accounts, they were able to acquire the personal information of private citizens, with many of them being Russian-American media or government workers. 

Wanted posters of both Russian agents. 

Several critical security failures contributed to Yahoo's breaches. One of the main ways that the hackers got access to people's accounts was by using forged cookies. NBC News defines a forged cookie as "a little token that is stored into your browser" that "allows the site to store some information and allows you to bypass efforts..." By utilizing these cookies, the hackers were able to stay logged into people's accounts without actually having to enter a password. Yahoo has since invalidated these cookies, and added other features that make users' information more secure.

After the breaches became public, Yahoo implemented several security reforms, though the damage had already been done. The company required users to reset their passwords, invalidated old security questions/answers, and encouraged two-factor authentication. They have also dedicated more funding and resources to continually developing their cybersecurity systems (CSHub). 

The breaches also had major financial consequences. Yahoo, which was in the process of being acquired by Verizon, suffered a $350 million reduction in its sale price due to their security failures. What once was a company worth $4.83 billion was bumped down to $4.48 billion once the breaches went public (Reuters). 

The National Law Review link in photo.

A class-action settlement also demanded that Yahoo pay $117 million to users who were impacted by the breaches. In addition, Yahoo had to pay a $35 million penalty to settle charges that it failed to disclose information about the breaches to investors (SEC). There were also a number of smaller settlements that Yahoo had to pay out to users and investors alike. 

Yahoo's failure to provide proper security for user data highlighted the need for stronger cybersecurity policies worldwide. Governments and corporations have enacted stricter regulations and security technologies, including:

• General Data Protection Regulation (Europe, 2018): Imposes strict penalties on companies that fail to protect user data and requires swift breach disclosures. 
• California Consumer Privacy Act (California, 2018): Gives consumers more control over their data and forces companies to be transparent about their data collection practices.

Despite advancements in cybersecurity, as pushed by threats like the Yahoo data breaches, attackers and hackers have continued to evolve. It is important that entities and individuals keep up with developments in cybersecurity and understand how to properly protect their data. The Yahoo data breaches serve as a cautionary tale about the consequences of weak cybersecurity practices and delayed response efforts. The lessons that were learned remain relevant today, underscoring the need for constant innovation in the fight against cybercrime.