Last week, Yahoo owned up to the largest hack known to have occurred in computing history. Passwords, logins, and other account information on some 500 million people were stolen in the heist. At the time, Yahoo claimed that the hack was the work of state-sponsored actors — but independent analysts working on analyzing the hack have begun pushing back that assessment, while current and former Yahoo employees say security was a distant priority at Yahoo.
InfoArmor has published a timeline and history of the attack against Yahoo. The first offers to sell Yahoo-derived data appeared on April 3, 2016. According to InfoArmor’s analysis, the individuals attempting to sell the Yahoo data (and other major data sets for websites like Instagram, LinkedIn, Dropbox, MySpace, and Tumblr) are fronting the data sets for criminal groups, as opposed to acting directly on behalf of government agencies in foreign countries. It’s not always easy to tease these relationships apart, since criminal hackers sometimes sell data to nation-states, or could be hired to work directly on their behalf.
The graphic below shows the proposed relationships between a set of professional, Eastern European black hats in green, English-speaking threat actors (in red), and a potential group of state-sponsored actors who purchase data from the digital fences but weren’t directly involved in the hack itself (purple).
It’s generally considered difficult to prove that any single government was responsible for a hack. But these attacks tend to be extremely sophisticated, with carefully crafted malware that goes after specific targets. If conventional malware attacks are WW2-era carpet bombing, targeted, state-sponsored malware are modern, self-guided ‘smart’ weapons with precision strike capabilities and advanced munitions. The InfoArmor analysis also revealed the scope of what was taken from Yahoo: login ids, country codes, recovery emails, date-of-birth records, MD5 password hashes, cell phone numbers, and zip codes were all stolen.
An investigation by the New York Times doesn’t paint a flattering picture of Yahoo’s security infrastructure. While Yahoo created a dedicated security team after high-profile attacks took down other services, it rarely listened to its own experts, dubbed the “Paranoids” internally. Yahoo didn’t implement a bug bounty program until 2013, three years after Google debuted its own. In 2013, the Snowden leaks demonstrated Yahoo was a frequent target of hack attempts, but it took the company a full year to even hire a chief information security officer.
Yahoo’s security team pushed for end-to-end encryption for all Yahoo products. They were shut down by protests from the senior VP overseeing email and messaging services, Jeff Bonforte, who claimed end-to-end encryption would limit Yahoo’s ability to search and index email or offer new services to customers. When Yahoo’s new chief security officer went to bat for user privacy and security, he found little support from CEO Marissa Mayer. The Paranoids were starved for resources, and their suggestions for improving security through superior intrusion detection were denied as well, according to the report. Even a request to automatically reset passwords for all users in the wake of a major breach was denied.
Why? Money and reach. Mayer and other executives were concerned that any disruption to service — even something as simple as a password reset — could trigger more users to leave the company and seek service elsewhere. Yahoo notified its customers that a hack had occurred, but took no other action to protect its customers. Between the lack of evidence for state-sponsored activity, and growing awareness that the company’s lack of concern for security played a significant role in its own downfall, Yahoo is looking like a worse acquisition for Verizon all the time.
Yahoo management could have used the Snowden leaks to justify a new round of spending and consumer-centric, privacy-friendly changes. After all, it was thanks to Snowden that we found out Yahoo had challenged the government’s right to spy on its customers in multiple secret court battles. Yahoo could have built on that record and appealed to more customers in the process. Instead, it refused to implement best practices because it was afraid of losing market share at an even faster rate.