One attack led to another at Yahoo

Russian hackers working with Russian spies did not crack Yahoo security all at once – they methodically made their way deeper into Yahoo’s network over the space of months, maybe years, according to US officials.


Here is a look at how the breach occurred.


Hackers got their initial access to Yahoo’s network about early 2014, although it is not clear exactly how.

By the end of the year, they had made two valuable finds.

The first was a back-up copy of Yahoo’s user database, which contained information that could be used to reset passwords and gain entry to Yahoo accounts, including phone numbers, answers to security questions and recovery email addresses.

The database also contained scrambled user passwords, which Yahoo uses to verify users as they log in.

The second was an internal tool Yahoo used to access and edit information in the user database. Together, they allowed hackers to start unlocking Yahoo accounts at will.


In effect, hackers created a Yahoo skeleton key by fooling the service into thinking they had already signed into particular accounts, even if they did not know their passwords. Web service providers typically use data called cookies to let you stay signed into an account via a web browser.

The hackers used malware and the scrambled passwords in the user database to manufacture fake cookies. To Yahoo, it then appeared the hacker was the authorised user, who was already logged in without entering a password.

That method worked so long as users did not change their passwords after early November 2014. Hackers used this technique to target more than 6500 user accounts.


The hackers targeted employees of specific companies by searching the database for recovery emails that used employer domains, according to the indictment.

Hackers also searched emails for the existence of other accounts controlled by the same user. Some were at Yahoo, others at Google’s Gmail and other companies. The hackers could then send emails designed to dupe recipients into installing malware or providing passwords for those other accounts.


While Russian intelligence officials were interested only in a limited number of accounts, hackers used access to Yahoo’s network for their own financial gain.

For instance, they manipulated servers so searches for erectile dysfunction medications generated a link that took users to an online pharmacy that was paying commissions to the hackers.

Hackers also searched users’ email accounts for credit card information and electronic gift cards. Hackers also searched emails for contact information of friends and colleagues; such data enabled spam that appeared to originate from those friends and colleagues.


The 2014 breach was the second of two major breaches at Yahoo and involved at least 500 million user accounts. Yahoo later revealed it had uncovered a separate hack in 2013 affecting about one billion accounts, including some that were also hit in 2014. Wednesday’s indictment did not address the 2013 breach.