Case study

On
Yahoo!!
Grouped by,

Immanuel kumar
Arfat Khan
Kaushal bhuwad
Pratik rajguru
Introduction :-

Yahoo! ,Founded in 1994 by Stanford Ph.D. students David Filo and Jerry Yang, Yahoo!
began as a hobby and has changed the way people communicate with each other, share and
create informations.
Yahoo has been in the market with variety of products and services including search engine,
email, Messenger, News, Analytics services and web hosting.
The headquarters of the company is in Sunnyvale, California and they counting more than
twenty offices around the world.
 Yahoo! Inc. has become the world’s largest global online network with more than five
hundred million users in the world.
 The Internet service company Yahoo! Was subject to the largest data breach on record.
 The first announced breach, reported in September 2016, had occurred sometime in late 2014, and
affected over 500 million Yahoo! User accounts.
 A separate data breach, occurring earlier around August 2013, was reported in December 2016.
Initially believed to have affected over 1 billion user accounts.
 Yahoo! Later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both
breaches are considered the largest discovered in the history of the Internet.
 Specific details of material taken include names, email addresses, telephone numbers, encrypted or
unencrypted security questions and answers, dates of birth, and hashed passwords.
 Further, Yahoo! Reported that the late 2014 breach likely used manufactured web cookies to falsify
login credentials, allowing hackers to gain access to any account without a password.
 Yahoo! Has been criticized for their late disclosure of the breaches and their security
measures, and is currently facing several lawsuits as well as investigation by members of
the United States Congress.
 The breaches impacted Verizon Communications’s July 2016 plans to acquire Yahoo! For
about $4.8 billion, which resulted in a decrease of $350 million in the final price on the
deal closed in June 2017.
The Three Yahoo Cyber Attacks :-

 1 – July 2016 discovery

• Around July 2016, account names and passwords for about 200 million Yahoo!
accounts were presented for sale on the darknet market site, “TheRealDeal”.
• The seller, known as "Peace_of_Mind" or simply "Peace", stated in confidential
interviews with Vice and Wired, that he had had the data for some time and had
been selling it privately since about late 2015.
• Experts believe that Peace is only a broker of the information that hackers obtain
and sell through him. Yahoo! stated they were aware of the data and were
evaluating it, cautioning users about the situation but did not reset account
passwords at that time.
 2 - Late 2014 breach
• The first reported data breach in 2016 had taken place sometime in late 2014,
according to Yahoo! The hackers had obtained data from over 500 million user
accounts, including account names, email addresses, telephone numbers, dates of
birth, hashed passwords, and in some cases, encrypted or unencrypted security
questions and answers. Security experts noted that the majority of Yahoo!'s
passwords used the bcrypt hashing algorithm, which is considered difficult to crack,
with the rest using the older MD5 algorithm, which can be broken rather quickly.
• Yahoo! reported the breach to the public on September 22, 2016. Yahoo! believes
the breach was committed by "state-sponsored" hackers, but did not name any
country. Yahoo! affirmed the hacker was no longer in their systems and that the
company was fully cooperating with law enforcement. The Federal Bureau of
Investigation (FBI) confirmed that it was investigating the affair.
• The November 2016 SEC(Security and Exchange Commission) filing noted that
the company believed the data breach had been conducted through a cookie-
based attack that allowed hackers to authenticate as any other user without their
password. Yahoo! and its outside security analysts confirmed this was the method
of intrusion in their December 2016 announcement of the August 2013 data
breach, and had invalidated all previous cookies to eliminate this route. In a
regulatory filing in 2017, Yahoo! reported that 32 million accounts were accessed
through this cookie-based attack through 2015 and 2016. Multiple experts believe
that the security breach was the largest such incident made public in the history of
the Internet at the time.
 August 2013 breach
• The first data breach occurred on Yahoo! servers in August 2013; Yahoo! stated
this was a separate breach from the late 2014 one and was conducted by an
"unauthorized third party". Similar data as from the late 2014 breach had been
taken from over 1 billion user accounts, including unencrypted security questions
and answers. Yahoo! reported the breach on December 14, 2016, and forced all
affected users to change passwords, and to re-enter any unencrypted security
questions and answers to make them encrypted in the future. In February 2017,
Yahoo! notified some users that data from the breach and forged cookies could
have been used to access these accounts. This breach is now considered the
largest known breach of its kind on the Internet. In October 2017, Yahoo! updated
its assessment of the hack, and stated that it believes all of its 3 billion accounts
at the time of the August 2013 breach were affected.
Prosecution

 On March 15, 2017, the FBI officially charged the 2014 breach to four men, including
two that work for Russia's Federal Security Service (FSB)
 In its statement, the FBI said "The criminal conduct at issue, carried out and otherwise
facilitated by officers from an FSB unit that serves as the FBI's point of contact in
Moscow on cybercrime matters , is beyond the pale
Legal and commercial

 Verizon Communications merger deal

 In February 2017, Verizon and Yahoo! announced that the deal will still go forward, but
dropping the sale price by $350 million, down to $4.48 billion. The deal officially closed
at this reduced price in June 2017
 United States government
 In April 2018, the SEC announced that it had reached a deal with Altaba, the company
that holds the assets of Yahoo! not purchased by Verizon, for US$35 million for failure to
disclose the 2014 breach in a timely manner.
 Class action lawsuits
 Verizon and Altaba agreed to split the cost of a US$50 million settlement in October 2018
In the settlement, those that can document identity theft damage from the breach can seek
up to US$375 from the settlement, otherwise, those with known affected Yahoo accounts
can seek up to US$125
 International
 In late November, Ireland's Data Protection Commissioner (DPC), the lead European
regulator on privacy issues for Yahoo! whose European headquarters are in Dublin, said
that it had stepped up its examination of the breach
 Russian hack on yahoo

The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It's unclear
how many employees were targeted and how many emails were sent, but it only takes one person to click
on a link, and it happened.

Once Aleksey Belan, a Latvian hacker hired by the Russian agents, started poking around the network, he
looked for two prizes: Yahoo's user database and the Account Management Tool, which is used to edit the
database. He soon found them.
The database contained names, phone numbers, password challenge questions and answers and, crucially,
password recovery emails and a cryptographic value unique to each account.

The account management tool didn't allow for simple text searches of user names, so instead the hackers
turned to recovery email addresses. Sometimes they were able to identify targets based on their recovery
email address, and sometimes the email domain tipped them off that the account holder worked at a
company or organization of interest.
Once the accounts had been identified, the hackers were able to use stolen cryptographic values called
"nonces" to generate access cookies through a script that had been installed on a Yahoo server. Those
cookies, which were generated many times throughout 2015 and 2016, gave the hackers free access to a user
email account without the need for a password.

The hacked users included an assistant to the deputy chairman of Russia, an officer in Russia's Ministry of
Internal Affairs and a trainer working in Russia's Ministry of Sports. Others belonged to Russian journalists,
officials of states bordering Russia, U.S. government workers, an employee of a Swiss Bitcoin wallet company
and a U.S. airline worker.

So clinical was the attack that when Yahoo first approached the FBI in 2014, it went with worries that 26
accounts had been targeted by hackers. It wasn't until late August 2016 that the full scale of the breach began
to become apparent and the FBI investigation significantly stepped up.

In December 2016, Yahoo went public with details of the breach and advised hundreds of millions of users to
change their passwords.
Thank
You