Yahoo's Ugly Death, Part 2

Between 2010 and 2014, Yahoo was hacked numerous times - each time setting a new 'world record' for the largest data breach in history. It also hid those breaches from it's investors, customers and the SEC.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Yahoo's Ugly Death, Part 2

In 2009, Chinese state hackers breached Google. They stole intellectual property, and used GMail access to target individual political dissidents such as the artist Ai Weiwei.

We did a whole two episodes about this hack, known as “Operation Aurora.” We talked about Google’s presence in China, why the government may have had an interest in making enemies of them, and how they actually managed to breach Google.

But dozens of other major companies were also caught up in the same hack: Adobe, Symantec, Morgan Stanley, Northrop Grumman, Blackberry and plenty more. Why, then, did we focus so much on one company?

Well, there’s that saying: history is written by the victors. In the case of Operation Aurora, history was written by Google.

They were the first to disclose the story, in a blog post on January 12th, 2010. Now, usually, when companies disclose major breaches in a blog, they do so with vague language and platitudes. Things like “we are investigating and taking appropriate action,” and “the security of our users is paramount.” Maybe you’ve read a few of those before. Google’s blog, on the other hand, did not mince words. Quote:

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

End quote. The news that Google would potentially shut down their operation in China, in response to a data breach, was massive. Google would be giving up access to a market of over one billion people, and possibly shutting down an entire branch of the company along with all its employees. But, more so than that, they were actually confronting the Chinese government. They weren’t attacking them, but they were standing up to them.

But that blog post was just the beginning. Reports told that co-founder Sergey Brin took the attack as a personal affront, and made it his mission to ensure such a thing would never happen again. Eric Schmidt, CEO at the time, described the attitude within the company. Quote: “When the Chinese attacked in 2010, that was an entire wake-up call for us; our entire attitude changed.” End quote.

Google was on a warpath. They hired hundreds of cybersecurity experts from around Silicon Valley, and from the NSA. In fact, they didn’t just hire hundreds of experts–they paid absolutely eye-watering six-figure signing bonuses to get the very best experts.

With those experts they formed a world-class threat analysis group, and created “Project Zero”–a team tasked with identifying zero-days in technology outside of Google. They invested hundreds of millions of dollars into building a new, state-of-the-art cybersecurity infrastructure. Then, according to the New York Times, Google restructured its own IT systems to work as a cybersecurity megaweapon. Quote: “Google turned the company’s storage, search and computational power into a security weapon of sorts. Whenever something malicious appeared on the internet, Google could search its entire network–years back–in minutes to see if it had ever touched its systems.” End quote.

So, in summary, Google got hacked for some IP and a couple of GMail accounts. In response, they spent hundreds of millions of dollars–maybe over a billion–rebuilding their infrastructure, hiring the best experts in the world, and building an absolute cyber-mega-death-ray, all to make sure something like Operation Aurora could never happen again.

Now think about it. Have you heard of any big Google hack in the last decade? No? This is why not.

AURORA: YAHOO

Another company breached in the Operation Aurora attacks was Yahoo.

At least, that’s according to reporting from The Washington Post and others. Yahoo to this day has never publicly acknowledged being breached in the Aurora attacks. Instead, all we have to go on is one sentence from a spokesperson. Quote: “Yahoo does not generally disclose that type of information, but we take security very seriously and we take appropriate action in the event of any kind of breach.” End quote.

It may be that Yahoo didn’t actually know they were hacked until the rest of us did. But if they did know, and just didn’t say anything, it wouldn’t have been out of character.

Three and a half years before Marissa Mayer, in January 2009, Yahoo hired Carol Bartz as CEO. Unlike Marissa, Carol was a CEO’s CEO–brash, no-bullshit. She was experienced, having been CEO at Autodesk, and a board member at Intel, Cisco and other major companies.

Like Marissa, she made it her mission to reorganize the company–cutting costs, swapping in a new set of executives, and slashing 5% of jobs. But those changes came with a high level of secrecy. Reuters noted her quote, “famous penchant for tight lips,” but this was an understatement. Everything was, as one anonymous employee put it, “on a need-to-know basis.” Even when entire divisions of the company were being shut down, sometimes, employees were last to know. And Bartz made no qualms about this policy of hers. During her very first month on the job, she joked that she would, quote, “drop-kick to fucking Mars” any employee who leaked insider info to the press.

Is it any surprise, then, that Yahoo didn’t disclose their role in Operation Aurora?

Even if Yahoo did know they were hacked, and did have good reason to keep it quiet, their security apparatus was not nearly up to the task. While Google was investing hundreds of millions of dollars to make sure something like Aurora would never happen again, Yahoo was doing no such thing. The pressing need to save the business overshadowed any concern for security, for Bartz and other CEOs before and after her.

Marissa Mayer took it on the chin in our last episode of Malicious Life. It’s easy to blame her for the things that happened to Yahoo, during her tenure, that you’ll hear about today. But make no mistake about it: even before she arrived, Yahoo was already a mess. For years before they actually were, Yahoo was already the kind of company you’d expect to be breached for, I don’t know, a few hundred million user accounts.

ALEKSEY BELAN

Aleksey Belan was born on June 27th, 1987 in Riga, Latvia. He’s got blue eyes, and long brown hair in the style of a 2000s boy band singer. He’s six feet tall and, according to the FBI, around 172 pounds. How does the FBI know the weight of a foreign criminal? Why pick such a specific number as 172, instead of 170 or 175? If you had to guess why the FBI had such detailed physical metrics on Aleksey, it’s probably because he drew so much attention.

As early as age 18, Belan was hacking into popular websites, search engines, MMOs and tech companies mostly located in and around Russia and Ukraine. He became well-known to the hacker underground under the name M4G. But it was in his 20s, when he started targeting Western companies, that the FBI took notice.

In 2012, Belan hacked Zappos. In 2013, Scribd and Evernote. He was indicted by the FBI for hacking three other e-commerce companies around the same time and, according to Forbes, he was also involved in hacks of multiple online healthcare insurers. So you’d have to say that, by 2012-2013, Aleksey Belan was one of the few most prolific hackers in the entire world.

And then his legend only grew. In 2013, the FBI put out an international warrant for his arrest. Any law enforcement agency in Europe or elsewhere, who spotted Aleksey, was to immediately apprehend and then extradite him to the United States. According to rumors, Aleksey was living in Greece at the time. It’s said that he was apprehended there. But by the time the FBI got word, Aleksey was in Russia. How did he escape law enforcement? We don’t know.

It was in Russia where he was contacted by two agents of the FSB, Russia’s security agency.

FSB CONSPIRACY

Dmitry Dokuchaev and Igor Sushchin had a very different kind of relationship with U.S. law enforcement than Aleksey. They were not criminals. In fact, they were part of a FSB unit that U.S. officials would sometimes work with in cybercrime investigations. That’s not to say that the U.S. and Russia often worked together, but to the extent they did, these guys were the point of contact.

Unfortunately for the United States, in 2014, Dmitry and Igor weren’t in a collaborative mood. They found Aleksey not to capture and extradite him, but to employ him. They wanted the guy who made hacking major American corporations seem easy, to help them hack Yahoo.

Why did the FSB want to hack Yahoo? A better question might be: why wouldn’t they?

It was the perfect target. Even if Yahoo’s active user base was dwindling by the month, they still had one of the biggest–if not the biggest–catalogues of accounts on the entire internet. Think about all those people who used Yahoo back in 2001, and didn’t completely delete their accounts. We’re talking about billions of people. Heck, I bet you–yes you, listening to this podcast right now–had a Yahoo account at some point, and that it might still be floating out there on some server somewhere.

So Yahoo was sitting on an absolute mountain of user data, making it a big, fat target for any hacker in their right mind. And how secure was all that data? Well, you have some idea of it by now.

All it took was a routine phishing email to a mid-level employee. Once the employee clicked on a malicious attachment, Aleksey Belan had a way into the system.

For months, the Russians conducted reconnaissance on the network. They honed in on two targets. The first was Yahoo’s user database–a store of names, phone numbers, emails, recovery emails and more information on individual account holders. The second target was an account management tool, which would allow the hackers to make changes to the accounts, such as changing their passwords, with ease.

But then, they found something even better. From Ars Technica, quote:

“The intruders then discovered a tool that let them “mint” cookies for specific user accounts, allowing them to gain access to the accounts without changing their passwords. The UDB records for each user contained a “nonce”—a cryptographic number associated with the user’s account that could be used to generate the cookies issued after user authentication. Using the code—at first on the Yahoo network and then outside of it on systems they controlled, both the FSB agents and Belan allegedly were able to create forged cookies and use them to gain access to targeted accounts.”

When the Russians found the cookies tool, it must have felt something like getting a free chocolate cake delivered to your front door–you didn’t ask for it, but heck if you’re not going to enjoy it! With only the database and account management tool, they could have reset the passwords on any account they wished, thereby gaining access and locking out the account owner. But what’s even better than that? Generating cookies that authenticated them, without having to change the password, thereby allowing them complete access to the account while in no way notifying the account holder. It really was that easy. They used a Firefox plugin.

Once Aleksey downloaded the user database to his computer using file transfer protocol, he and his co-conspirators could generate login authenticators for any Yahoo account, without even having to interact with Yahoo’s network. The most difficult part of it all was probably just downloading all that account data. Aleksey Belan and his FSB conspirators had their hands on over 500 million accounts, to do with whatever they wished.

They’d just pulled off the largest hack, by volume, in cybersecurity history.

SNOWDEN/STAMOS

There was a point in time when Yahoo’s cybersecurity actually began to turn around, and became something worth admiring.

You could trace it back to 2013, when Edward Snowden revealed to the world how pervasively the National Security Agency had been surveilling people, organizations and governments around the world. It was a revelation to all of us, but a different kind of revelation inside Yahoo.

Part of what the Snowden leaks revealed was that the NSA didn’t just spy on foreign adversaries and threats, but also completely innocent U.S. citizens and corporations. Really, everything Aleksey Belan and the FSB did in 2014, the NSA and Britain’s GCHQ did before them, years before, much more severely. They hacked Yahoo instant messaging, and intercepted the communications links between Yahoo data centers to steal metadata about users. In one case–an initiative titled “Optic Nerve”–GCHQ captured and collected screenshots taken during Yahoo messenger webcam sessions. Every five minutes, any time anyone in the world was video chatting through Yahoo, surveillance computers snapped their pictures and stored them in government databases. The results of Optic Nerve were, as you’d expect, underwhelming. The most interesting finding was, quote, “that a surprising number of people use webcam conversations to show intimate parts of their body to the other person.” End quote. British surveillance agents, presumably without better things to do with their time, tallied that around 3 to 11 percent of Yahoo webcam sessions contained, quote, “undesirable nudity.”

If you were Marissa Mayer, and found out that your company had been hacked in, essentially, every possible way it could be hacked, you’d probably want to beef up security. To some extent, that’s what they did. In 2014, they spent 10 million dollars on encryption technology. More importantly, they hired a new CISO–Alex Stamos.

Stamos was already respected in the industry, and once he arrived at Yahoo, he proved his worth. From the New York Times, quote:

“current and former employees say he inspired a small team of young engineers to develop more secure code, improve the company’s defenses — including encrypting traffic between Yahoo’s data centers — hunt down criminal activity and successfully collaborate with other companies in sharing threat data. He also dispatched “red teams” of employees to break into Yahoo’s systems and report back what they found. At competitors like Apple and Google, the Yahoo Paranoids developed a reputation for their passion and contributions to collaborative security projects, like Threat Exchange.”

All signs showed that Stamos was helping Yahoo overcome its poor track record for security.

But this story is about cybersecurity by management. Even when Stamos was trying to do the right things, according to reports, he received little support from his superiors. Proposals for greater security measures on Yahoo products were shot down. Employees would later describe being starved for budget, by executives whose priorities were elsewhere. Even those who liked Stamos were nonetheless lured away by Google, and other companies who paid better and cared more about their security overall.

If there’s one telling instance that demonstrates just how difficult it was to do security at Yahoo, it was when the security team lobbied executives to implement end-to-end encryption on all of the company’s data. Great idea, right? The benefits were obvious–even if a hacker were to crack Yahoo Mail, for example, they’d have no way of reading any messages. User privacy would be massively better protected.

But there was a flip side: even Yahoo itself wouldn’t be able to read user emails and messages. To management, that was a problem. One of the ways Yahoo came up with new services was by mining what users were writing about and searching for. How else could they come up with new, innovative services if they couldn’t spy on customers?!

The Times summed up the problem, writing, quote: “To make computer systems more secure, a company often has to make its products slower and more difficult to use. It was a trade-off Yahoo’s leadership was often unwilling to make.” End quote. Yahoo’s security team was denied end-to-end encryption. Then, months later, the decision paid off. The FBI ordered Yahoo to search all its customers’ messages, and doing so was very easy, because they weren’t encrypted.

BACK TO 2016

On July 25th, 2016, Verizon announced that it would be acquiring Yahoo for 4.8 billion dollars.

Seven days later, a darknet data breach broker named “Peace” began selling stolen Yahoo accounts.

That would seem like a pretty big conflict but, apparently, it wasn’t. Five weeks later, in a regulatory filing with the Securities and Exchange Commission, Yahoo wrote that it was unaware of, quote, “any incidents of, or third party claims alleging” a breach. This was strange, because Peace_of_Mind was a third party, alleging that he had access to 200 stolen accounts. Yahoo was aware of this. Maybe they just didn’t take him very seriously.

Or maybe something else was going on. 13 days after telling the SEC that they had no knowledge of any major cyber incidents, Yahoo announced that they’d been hacked–by the FSB, though they didn’t specify–for 500 million accounts.

Amid the worldwide headlines, there were more than a few people surprised by the news. Verizon, for one, hadn’t been told of any such hack when they were negotiating to buy the company. The SEC certainly had reason to find Yahoo’s timing suspicious. But one man in particular was as surprised as anyone, and for an entirely unrelated reason.

KOMAROV

Andrew Komarov–a Russian cyber investigator based in Arizona–is an expert in the Russian-Eastern European cyber underground. In his day-to-day work, he tracks cybercriminals and their various activities on the dark web. Back in the late summer of 2016, around the same time Peace_of_Mind published stolen Yahoo data online, and Yahoo denied any knowledge of it, Komarov was involved in a wholly separate investigation of his own.

For three years, he had been watching over a group he referred to as Group E. In August 2016, Group E claimed to have their own trove of Yahoo user data–500 million accounts, or even one billion. The price tag: 300,000 dollars.

Komarov monitored Group E closely–watching as they negotiated sales, pilfering off their data in the process. In all, Group E sold their Yahoo data to three buyers. Two of the buyers were spamming groups. The third buyer was different. From Bloomberg, quote:

“The other had an unusual request before completing the purchase. The buyer gave the sellers a list of ten names of U.S. and foreign government officials and business executives, to verify their logins were part of the database. That led Komarov to speculate the buyer was a foreign intelligence agency.”

By the way he was tracking Yahoo’s lost user data, you’d expect Komarov to have been the least surprised person on earth when, on September 22nd, 2016, Yahoo announced that it had been breached for half a billion user accounts. He already knew that, unlike the rest of us!

But as Komarov combed Yahoo’s announcements, he noticed something. The data they claimed to have lost included recovery emails, which Group E’s data did not. It was more encrypted than Group E’s data was.

Could it be? Yahoo had revealed a hack of 500 million accounts, while he, Andrew Komarov, was sitting on an entirely different breach of over a billion accounts.

There was no more time for sleuthing. Komarov grabbed what he had and went directly to U.S. authorities. According to the New York Times, his firm didn’t bring the information to Yahoo, quote:

“because the internet giant was dismissive of the security firm when approached by an intermediary. He also said he did not trust Yahoo to thoroughly investigate the breach since it could threaten the sale to Verizon.”

Working with authorities, Komarov uncovered several million accounts associated with government and military officials in various, mostly Western countries. Over 150,000 accounts belonged to American government and military personnel, most of which were presumably created before stricter rules were put in place regarding what kinds of accounts such officials could have.

But even millions of government officials represented just a small portion of what he had uncovered. On December 14th, 2016, after receiving news of Komarov’s findings, Yahoo announced that they’d suffered another breach. This time it was the mysterious Group E, all the way back in 2013. One billion Yahoo accounts in total. It was twice as big as the biggest data breach ever recorded before that–the previous record holder being that hack Yahoo had disclosed just a few months prior.

The following year, it was revealed that the one billion figure was incorrect. It was actually three billion accounts. Every single Yahoo account in existence had been breached. The equivalent of 40 percent of the entire world’s population. Six times as large as their own record for largest data breach in history.

It’s actually difficult to conceive of such a massive breach. It’s kind of like…do you remember when Usain Bolt set the world record for the 100-meter run, in 9.72 seconds? Then, in the 2008 Olympic final, he beat his own record in 9.68? Then, a few months after that, he did it in 9.58? Yahoo is to cyber breaches what Usain Bolt is to running–not just record breaking, but in a category entirely their own.

WHEN THEY KNEW

We may never know exactly how the 2013, Group E hack was pulled off–Yahoo’s logs simply don’t go back far enough to have left any evidence. All we know, at least publicly, is what Andrew Komarov–a lone security researcher in Arizona–was able to uncover, while the entire Yahoo corporation was completely in the dark.

That leaves us with only one mystery remaining. In late 2016, Yahoo disclosed two hacks of its systems–one in 2013, by Group E, for three billion accounts, and one in 2014, by Aleksey Belan and two FSB officers, for half a billion. Both of these attacks were discovered years after the fact, but we have such detailed information about one and not the other. We know the FSB agents Aleksey Belan worked with, how they broke in, what they did with the data, but we know hardly anything about Group E and how they stole six times as much data. Why is that?

Well, when an independent committee was tasked with reviewing Yahoo’s responses to its breaches, it found that, quote, “In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts.” End quote.

When the FSB hacked Yahoo in 2014, Yahoo knew. They just didn’t, you know, tell us.

In fact, they didn’t do a whole lot about it in general. Quote:

“Failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. [. . .] it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team.”

After CEO Marissa Mayer became aware, in 2014, of a sensitive data breach, the company opted to inform 26 affected people–high-value government targets. The other 500 million users were kept in the dark for two years, on purpose. From the New York Times, quote:

“Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.”

FALLOUT/SEC

This, listeners, is why management is as important to enterprise cybersecurity as any CSO, any security analysts or what software they have on their computers. In 2014, Yahoo was well aware that it had been breached, and that the breach was significant and state-sponsored. They had one of the most respected CISOs in the industry on their payroll, and a security team that did their jobs and meant well. But the people who could really do something to remedy the situation just didn’t act.

In fact, they didn’t just not do anything–they specifically, actively, did nothing. When Stamos tried implementing universal encryption on all the company’s data, Marissa Mayer shot him down. When Yahoo learned about their 2014 breach they didn’t just not disclose it–they actively hid it from the public, Verizon, and even the U.S. government. Rather than have users reset their passwords, they said nothing in order not to scare anyone off. Despite new breaches occurring every year–in 2010, 2012, 2013, 2014–they continually failed to invest as much time and effort into trying to keep their customers safe as they did trying to keep them from going to Google.

But the corporate executives who did all this were finally set to pay the price when, in 2017, the SEC took a more active role in their case. According to federal securities law, public companies like Yahoo are required to disclose any information which, quote, “a reasonable investor would consider important in an investment decision.” If we were to use an example: the biggest data breach in history would count as something that Yahoo investors might reasonably want to know about. According to the SEC:

“When Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.”

The slippery language in Yahoo’s financial reports from 2014 to 2016 allowed them to cover themselves legally, to an extent, while still covering up what they knew. It’s like if I shot Nate Nelson in the head, and when the police questioned me, I told them “Look, is Nate Nelson subject to the effects of physical damage to his body? We all are, sometimes.”

This, friends, is called “securities fraud.” Quote:

“In addition, the SEC’s order found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.”

On April 24th, 2018, the SEC made history by charging a major corporation–Yahoo–with failure to disclose a security breach. It indicated just how egregious the case was, that this was the first time any such measure had ever been taken before. The company, and those executives who’d so royally screwed their customers were about to get their comeuppance.

What kind of severe, history-making penalty could fit the crime of what they’d done? According to the SEC: 35 million dollars. 35 million for lying to the SEC, investors, Verizon and customers. For context, Yahoo’s revenue for the year of 2016 was 5.2 billion dollars. That means, for having committed securities fraud, Yahoo was penalized a whole two days worth of company revenue. The agony!

As for the individual participants: Alex Stamos was around for none of this. After learning that his boss was using cyberspying technology behind his back, he left the company in 2015 and moved to Facebook. He hasn’t made a public comment about Yahoo since.

Multiple Yahoo executives, instead of being fired, walked away from the company with multi-million-dollar bonuses. Only one person–a lawyer–was fired without pay in connection with the 2014 hack.

And that leaves only one person: Marissa Mayer. When her company was sold to Verizon, she gracefully left her post and went on to found an AI company. For her work running Yahoo over the years, she received an exit package worth 23 million dollars.

Even Richard Smith didn’t get a deal like that.

EPILOGUE

One last thing before we go.

This was a story about corporate mismanagement of cybersecurity, where those in power made bad decisions and didn’t pay the price.

Meanwhile, at the other end of these hacks, were the hackers themselves. According to what we know on the outside, only one person involved in any of those many attacks received justice for doing so. Karim Baratov, a young citizen of Toronto, was arrested and sentenced to five years in jail for having helped Aleksey Belan crack around six and a half thousand targeted accounts – an interesting story by itself, probably worth a future episode of ML.

Aleksey Belan himself–the guy who stole the 500 million Yahoo accounts in 2014–is still one of the FBI’s most wanted cybercriminals. Presumably, he’s somewhere in Russia, where he’s unlikely to be extradited or brought to court. One would imagine that his FSB handlers–Dmitri and Igor–are equally safe and secure in their jobs.

So, in the end, after the two largest data breaches in world history, Yahoo’s executives walked away with millions, their hackers walked free, and only one 20-something script kiddie was punished.

Actually, that’s wrong–there’s one other loser in this story. It’s you. In all likelihood, you, listening to this now, had a Yahoo account some time between 2000 and 2016, that was compromised once or many times over by hackers. That information made it into the hands of darknet criminals, and may still be out there, somewhere, right now.

Might be a good time to change your passwords.