SAN FRANCISCO — Russian hackers working with Russian spies didn’t crack Yahoo security all at once.
Instead, according to an account offered by U.S. officials, they methodically made their way deeper into Yahoo’s network over the space of months — maybe years. That allowed them to forge technological skeleton keys that would unlock many Yahoo accounts, steal personal information and then use that data to break into other email services used by their targets, U.S. officials said in announcing charges against four Russians .
That Department of Justice indictment fills in some of the blanks surrounding a massive security breach that occurred in 2014, but Yahoo didn’t reveal until six months ago. But it doesn’t answer why it took Yahoo so long to grasp its seriousness or why it waited so long to tell its users — or Verizon, which is paying $4.5 billion for Yahoo operations now tainted by the biggest security lapses in internet history.
Yahoo declined to comment beyond a statement thanking law enforcement for its efforts.
It’s also not clear whether the Russian hackers and spies involved in the Yahoo break-in were also involved in other recent hacking attacks, such as the leak of embarrassing emails from the Democratic National Committee during the 2016 election. U.S. intelligence agencies have previously said they believe that Russian hackers were involved in those breaches, too.
“We are in a cyberwar and our government hasn’t woken up and done anything about it,” said security analyst Avivah Litan of Gartner Inc.
Although the Yahoo attack compromised more than 500 million user accounts, the hackers appeared mainly interested in sifting through the email of Russian and U.S. government officials, Russian journalists and employees of financial firms and other businesses, according to the indictment.
When they weren’t spying, the hackers also tried to make money on the side with petty scams. In one ruse detailed in the indictment, the hackers are accused of manipulating Yahoo’s search results to drive traffic to a company selling erectile dysfunction drugs in exchange for commissions.
The severity of that breach, the second worst in internet history, was most likely magnified by the fact that it took some two years for Yahoo to disclose the initial attack. Had Yahoo taken more aggressive steps — for instance, asking users to change their passwords, or even expiring the passwords and forcing users to enter new ones — it might have prevented some of the damage.
Hackers got their initial access to Yahoo’s network around early 2014, although it’s not clear exactly how. By the end of the year, according to the indictment, they had made two valuable finds.
The first was a backup copy of Yahoo’s user database, current as of early November 2014. It contained a lot of information that could be used to reset passwords and gain entry to Yahoo accounts, such as phone numbers, answers to security questions and recovery email addresses used to reset forgotten passwords. The database also contained cryptographically scrambled data Yahoo normally uses to authorize users as they log in.
The second was an internal tool for editing information in the user database.
By December 2014, Yahoo executives and lawyers knew hackers tied to a foreign government had gained access to some of its users’ personal information, but didn’t dig deeper into the incident, according to a report released earlier this month by the company’s board. Yahoo merely notified 26 users that they there information may have been taken and also consulted with law enforcement.
FOOL ME ONCE, FOOL ME TWICE
Hackers accessed user accounts by fooling Yahoo into thinking they had already signed in. Companies like Yahoo typically use bits of data called cookies to let you stay signed into an account via a web browser. This is how you keep Gmail, for instance, open even if you close your browser and restart it. Hackers used malware and information from the user database to manufacture fake cookies. To Yahoo, it then appeared that a hacker was the authorized user.
That method worked so long as users didn’t change their passwords after early November 2014. Hackers used this technique to target more than 6,500 user accounts.
There was nothing particularly fancy about what the Russian hackers did, said Shuman Ghosemajumder, who used to fight fraud at Google and is now chief technology officer for Shape Security. But it still doesn’t look as bad as it might have had the heist been engineered by a clever teenager or another digital burglar working without the backing of a foreign government, experts said.
“The CIA can’t even protect against some of these guys, so my sympathies are with Yahoo,” Litan said. “I don’t know how good Yahoo’s security was, but it is really hard to detect these nation-state hackers.”
Yahoo has already paid a steep price. Verizon extracted a $350 million discount on the initial purchase price for Yahoo’s online services after initially demanding a $925 million reduction for the damage done. Yahoo still faces dozens of lawsuits.
While Russian intelligence officials were interested only in a limited number of accounts, hackers used access to Yahoo’s network for their own financial gain.
Besides the erectile dysfunction scheme, the hackers also searched email accounts for credit card information and electronic gift cards. The hackers even combed through email accounts looking for gift cards a few week after Yahoo announced the breach.
Attackers also searched emails for contact information of friends and colleagues; such data enabled spam that appeared to originate from those friends and colleagues, making it more likely for the recipient to open the message.
THE OTHER BREACH
The 2014 breach was the second of two major breaches at Yahoo and involved at least 500 million user accounts. Yahoo later revealed that it had uncovered a separate hack in 2013 affecting about 1 billion accounts, including some that were also hit in 2014. Wednesday’s indictment didn’t address the 2013 breach.
Jesdanun and Anderson reported from New York.