If you were born in the 90’s, chances are that you once had an email account with Yahoo with an absurd name. Founded at the Stanford University by two electrical engineers, Jerry Jang and David Filo in January 1994, Yahoo was initially was “Jerry and David’s Guide to the World Wide Web,” a directory of websites arranged in a hierarchy. Later in 1995, Yahoo.com was registered and it grew into a web portal that acquired many smaller organizations. Its stock price reached its all-time high of USD 118.75 in 2000 and fell to USD 8.11 in the following year after the dot.com bubble burst. From 2005 to 2007, Yahoo was under discussion for a potential takeover by Microsoft.
First announced data breach:
In September 2016, Yahoo announced that over 500 million of their accounts had been compromised during late 2014. The data acquired by hackers were names, email addresses, date of birth, contact numbers, hashed passwords and security questions. The passwords that were acquired were encrypted by using bcrypt hashing, a kind of hashing technique that uses salt to the hashed passwords which are resistant to brute force attacks. However, the other compromised fields used simple hashing techniques that could be easily cracked and used to reset the password. Besides, such kind of personal information could be used to compromise banking and other financial accounts. Yahoo claimed that the hackers were state-sponsored (country undisclosed, but some suspect China and Russia) and exploited their system using a cookie based attack that would allow the hackers to login without the need to enter a password.
Later in November 2016, Yahoo said that they were aware of the breach but did not know of the full extent of it until July 2016. Post that they confirmed that their security was no longer compromised. During the attacks, Yahoo did caution the users but didn’t reset the passwords.
TheRealDeal and Peace_of_mind:
A site part of the deep web or darknet, TheRealDeal was a market place used to sell security exploits. A darknet site cannot be accessed by your traditional web browser and needs a certain set of configurations in order to be accessed. In July 2006, 200 million Yahoo accounts were on sale at TheRealDeal site. A user named Peace_of_Mind has claimed to have been the broker for the accounts hacked during the 2014 data breach. This online sale of accounts is said to have triggered Yahoo’s suspicion about the data breach.
Second announced data breach:
On 14th December 2016, Yahoo again reported a data breach of 1 billion users which took place in August 2013. This is the biggest ever known security breach in the world. The breach was known to Yahoo after the law enforcement notified them. The breach was of a similar kind as the first announced breach and Yahoo had not prompted its users to reset their password and security questions until late 2016. InfoArmor, a cyber-security company was already looking into the 2013 breach, when they found a sale of 1 billion accounts on TheRealDeal. It is said that the compromised accounts included around 150,000 government officials of Canada, Australia and EU but didn’t go to Yahoo with this information as they had previously dismissed InfoArmor’s claims in the past and further because Yahoo was in the middle of the Verizon buyout.
Currently, US federal agency of Security and Exchange Commission (SEC) is investigating why it took so long for Yahoo to announce the security breach. There are claims that employees at Yahoo were aware about the data breach but kept mum for years. Yahoo’s deal with Verizon post these 2 announcements are already having tensions, with Verizon offering to pay a billion dollars less than the previously agreed $4.8 billion deal.