A History of Yahoo Hacks
The company’s huge billion-user security breach is the latest in a very long line.
Yahoo has admitted that a major security breach of its systems affected more than a billion users. It’s the worst in its history, and perhaps the biggest ever hack of user data in history. But it’s also just the latest in a long line of recent embarrassing security announcements for the company.
2012: Yahoo Loses Its Voices
When Yahoo acquired the online publishing network Associated Content in 2010 for $100 million, it also bought itself a headache. In July 2012, hackers published a cache of e-mail addresses and encrypted passwords obtained from the servers of Yahoo Voices—the new name for Associated Content. Details of 400,000 user accounts were compromised in the attack. The issue: weak security in the systems inherited by Yahoo that nobody had bothered to upgrade.
2013: Phishing for Mail
The year started badly in 2013 for Yahoo, when many Yahoo Mail users reported that their accounts had been hacked—and it didn’t get better. Despite plugging a series of security holes, the company found that users complained of a series of compromises through the first quarter of the year. Accounts were targeted via phishing attacks, in which users were encouraged to click on links within e-mails. When they did, their accounts were hijacked.
2014: Yahoo Mail (Again)
The start of 2014 wasn’t much better. Toward the end of January, Yahoo was forced to admit that it had identified an attempted hack of customer e-mail account details. Hackers has apparently used a list of usernames and passwords acquired from a third-party server to penetrate user accounts and acquire more names and e-mail addresses. Yahoo swiftly reset passwords to stop the attacks.
2016: The Half-Billion Hack
On September 22, 2016, Yahoo admitted that its servers had been hacked in 2014, with 500 million user accounts affected. Names, e-mail addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords were captured by the hackers. Yahoo said the attack was carried out by "state-sponsored" hackers. Security researchers InfoArmor disputed that claim.
2016: The Full Billion
On December 14, 2016, Yahoo announced its biggest ever security breach. The hack, widely believed to be the largest ever hack of user records, occurred in 2013 but was only brought to light following a recent investigation spurred by a law enforcement tip-off. The company says that the attack is "likely distinct" from the hack announced in September 2016.
According to the company’s chief information security officer, Bob Lord, hackers obtained "names, e-mail addresses, telephone numbers, dates of birth, hashed passwords, and, in some cases, encrypted or unencrypted security questions and answers." It’s thought that the hack was carried out using forged cookies to gain access to user accounts, without need for a password. The company has said that it believes it could be linked to a "state-sponsored actor."
2017: Verizon's Problem or Not?
In July 2016, Verizon announced that it was planning to acquire the beleaguered Yahoo for $4.8 billion. In October, Verizon's head of product Marni Walden said that the the telco would have to be “careful” in its approach to the deal, given that it has an “obligation to make sure we protect our shareholders and our investors.”
Over the latest news, Verizon spokesman Bob Varettoni said that the company “will review the impact of this new development before reaching any final conclusions” about the deal. But Bloomberg reports that it may be seeking to drive down the price of the acquisition, or even step away from it altogether.
That would seem fair enough. In light of Yahoo's recent track record, there may be yet more surprises in store.
Keep up with the latest in cybersecurity at EmTech MIT.
Discover where tech, business, and culture converge.
September 11-14, 2018
MIT Media Lab