How Hackers Cracked Yahoo

The investigation of the security breaches at Yahoo is painting a clearer picture of just how hackers manage to carry off such a massive breach of the internet company’s system.

According to accounts from law enforcement, the hackers involved in this case went on a “cyber skulduggery” spree that involved information scraping, mass spamming and more than 500 million accounts’ worth of information escaping out into the wilds of the dark web starting in early 2014. The attackers apparently found a way to turn Yahoo’s own systems against itself — and then used the same system to actually erase their digital footprints.

The report also shed additional light on a Russian connection to the hack that has raised some concerns — particularly in the current political environment, where perceived Russian interference has become a particularly sensitive topic. Among those targeted in the Yahoo breach were Russian and American government officials. One target was a Nevada gaming official — another,  a consultant who analyzed Russia’s bid for World Trade Organization inclusion. The hack also caught up 14 employees of a Swiss financial firm specializing in bitcoin.

So far, four men have been charged in the breach — including two officers at Russia’s spy agency.

But the scheme seems to at least in part be about good old-fashioned greed. For example, one of the hackers, Alexsey Belan, manipulated the results of some users’ searches on Yahoo to send them to an online pharmacy that paid Mr. Belan for the traffic.

Much of the malarky was made possible by a Yahoo system called the User Database. That database was Yahoo’s digital home for all kinds of desirable data like usernames, alternative email accounts and phone numbers. Passwords were encrypted via hashing, meaning they might have been hard to hack into. But then, the hackers didn’t really need to do that much work — instead they just stole a set of unique, near-random numbers attached to Yahoo accounts.

That allowed them to create session cookies that essentially tricked Yahoo’s servers into thinking that legitimate users who had previously logged in to their accounts were returning to the site.

The hackers also go their hands on Yahoo’s Account Management Tool, which — when combined with the database — could be used (and apparently was used) to create a map of the companies or organizations where Yahoo users may have worked.

The cybercriminals also got access to more than 6,500 Yahoo accounts, and then used that information to break into others.  And important “others” — diplomats, lawmakers and technology employees were all on the list, according to the FBI.

Mr. Belan has faced hacking charges before — he was arrested in in 2013 but managed to get back to mother Russia before he could be extradited from Europe, where he was caught.  A Russian official said Washington hadn’t consulted Moscow on the case and suggested the allegations were related to domestic politics in the U.S.

What remains a mystery — and a disturbing one — is just how exactly the hackers got so far into Yahoo’s system.  This attack was the first of two massive breaches recently reported by Yahoo — the charges do not cover the second one, which occurred in 2013 and affected more than one billion accounts. According to reports, the 2013 data had been protected by weaker cryptographic techniques than the 2014 data.