On March 15th, federal investigators announced that two Russian intelligence agents were among the four people officially charged for the 2014 Yahoo hack that left 500 million accounts compromised in one of the largest data breaches in history.
Since late 2016, Yahoo has indicated that a “state-sponsored actor” was behind the breach, but this is the first time that the United States government has confirmed the allegation of foreign intervention. Yahoo announced the event in September, but has not been able to issue detailed comments, since the case was involved in a federal investigation.
There’s a lot to dig through here, but we’ll do our best to provide some insight for the computer users affected by the data breach. Some important points to note:
- The data contained sensitive information. Personal names, birth dates, and other account details were compromised, and the hackers could likely access the Yahoo accounts of millions of users. These accounts included email. However, the compromised data did not include passwords or payment information (such as credit card numbers).
- Users weren’t informed right away. There’s some evidence that Yahoo knew about the breach for months, possibly even years, before it announced to the public that data was compromised. Several senators, include Vermont’s Patrick Leahy, have called for more transparency from Yahoo and expressed concern regarding the delayed announcement.
- Two of the people charged with crimes are members of Russia’s Federal Security Service (FSS). The New York Times reports these agents as “Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident.” The other individuals charged with the crimes (constituting 47 criminal charges) are Igor Anatolyevich Sushchin, 43, a Russian national; and Karim Baratov, 22, a Canadian and Kazakh national living in Canada.
- Many security experts believe that the compromised data wasn’t properly protected. In particular, Yahoo didn’t encrypt its security question. Passwords were reportedly secured with bcrypt, a relatively strong hash, but experts believe that other information—including birthdays and other private info—wouldn’t have been protected with the same encryption.
So, why wouldn’t Yahoo protect all data with the same encryption? The likely answer is practicality. Large technology businesses need to be able to quickly access data, and encryption slows that process down.
If you’re wondering how the hackers gained access, the short answer is that we don’t know all of the details yet. However, the agents apparently used forged cookies to access certain accounts without a password. To create these tools, the hackers likely stole proprietary code from the technology giant.
While most reports describe two of the hackers as “Russian agents,” we don’t have evidence that the government of Russia sponsored, financed, or endorsed this breach. However, we’re still comfortable calling them Russian agents, since they were affiliated with the Russian FSS.
Do I Need to Do Anything to Protect My Data?
Yes. If you used Yahoo accounts from 2013 to 2017, we’d strongly recommend changing your passwords. Note that some Yahoo products aren’t branded; Tumblr, for instance, is a Yahoo property.
In general, it’s a good idea to change passwords regularly and to enable multi-factor authentication, which can prevent some types of data breaches.
Are There Any Consequences for Yahoo?
Many security experts and consumers believe that Yahoo is at least partially responsible for the data breach. We won’t make a judgment, but we’ll note that the company isn’t escaping this event unscathed.
Marissa Mayer, Yahoo’s chief executive, lost her 2016 bonus and 2017 stock compensation. The company’s top lawyer, Ronald S. Bell, resigned several weeks ago. Additionally, the company’s value fell, which was significant; Yahoo recently agreed to a deal to sell its businesses to Verizon, and in light of the scandal, Verizon was able to reduce the original $4.8 billion deal by $350 million.