Report: Yahoo Hack Was Result of One Wrong Click by Employee

The 2014 hack of Yahoo may have been the result of a phishing attack, according to a recent report.

The Hacker News reports that the massive data breach that Yahoo experienced in 2014 may have been the result of a password phishing link sent to a Yahoo employee which allowed hackers to gain access to the company’s data. Last week, two Russian hackers were charged with the hack, which affected 500 million Yahoo user accounts.

According to the FBI, the alleged hackers, Alexsey Belan and Karim Baratov, were working under the orders of Russian spies Dmitry Dokuchaev and Igor Sushchin. During the investigation by the FBI, it was discovered that the hacks began with a “spear phishing” email sent to “semi-privileged” Yahoo employees.

It’s currently not known how many emails were sent or to which employees, but it reportedly would have taken one targeted employee clicking a link or downloading an attachment sent by the hackers to give them full access to the company’s system. Once Alexsey Belan allegedly gained access, he reportedly began searching the Yahoo system for useful data and tools, finding the Yahoo user database and the administrative account management tool.

Belan then allegedly downloaded the entire user database which contained usernames, phone numbers, security questions and answers, password recovery emails, and a cryptographic value unique to each Yahoo account. Allegedly under the instruction of Dokuchaev and Sushchin, the hackers began to attempt to gain access to specific user accounts. The two hackers are accused of using stolen cryptographic values to generate forged access cookies for specific user accounts, allegedly allowing the Russian agents to access and read emails on the accounts.

According to the FBI investigation, these forged access cookies were generated multiple times over the course of two years, giving the hackers access to “more than 6,500 Yahoo accounts.” The hackers reportedly gained access to the email accounts of an assistant to the deputy chairman of Russia, an officer in Russia’s Ministry of Internal Affairs, Russian journalists, officials of states bordering Russia, U.S. government workers, an employee of a Swiss Bitcoin wallet company, and a U.S. airline worker.

FBI special agent John Bennett stated in a news conference that the FBI were contacted by Yahoo in 2014 and acted as “great partners” during the investigation. However, Yahoo only went public with details of the data breach in December of 2016, advising all users to secure their accounts via two-factor authentication.

Yahoo’s lucrative $4.8 billion takeover deal with Verizon was reportedly threatened by the data breaches, but the New York Times has reported that the companies may have come to an agreement following negotiating with Yahoo, cutting $300 million off their original asking price.