1

Yahoo 2014 Data Breach Case Study

Student’s Name (without credentials)

Chamberlain University College of Nursing

Course Number: Course Name

Name of Instructor

Assignment Due Date

 2

Yahoo 2014 Data Breach Case Study

Introduction
Yahoo was designed and created by David Filo and Yang Jerry in 1994. Its growth has

been rapidly accumulating over 225 million active users. This online-based service provider is

famous for providing online features such as chat groups, email, search engines, and instant

messaging. Yahoo, a web-based utility currently being managed by Verizon, was a pioneer of the

early networking services. It mainly specializes in facilitating Yahoo mail and yahoo search

engine optimization. The email section, in 2014, formed the news headlines after being hit by

hackers. What caused more concern with Yahoo’s 2014 data breach occurrence was its

magnitude and the disclosure of information concerning the attack.

However, despite yahoo being a smooth and reliable service provider, it fell victim to

mismanagement and misconduct when in 2014, the Yahoo executive management team was

aware of an attack in its 2-year course but did not talk about it publicly (Shankar & Mohammed,

2020). For large corporations containing sensitive public information, such as Yahoo, how quick

and responsibly the company detects and solves its problems is what maintains its integrity and

public trust. This case study investigates how the attack happened and suggests possible

solutions to avoid such occurrences in the future.

Case Description
Between 2014-and 2016 Yahoo network was accessed by Russian hackers, compromising

an estimated 3 billion accounts. Yahoo, similar to google, offers email accounts to its users that

are used to facilitate digital communication. Email is vital in the 21st Century, and many other

accounts are connected via these email accounts like Facebook and Instagram. Compromising

the email accounts puts the private data on the social media accounts in jeopardy. The
 3

USCYBERCOM and NSA classified Russia as the most dangerous cyber security threat in the

coming future after discovering that Russia has conducted a series of dozen attacks with the

United States not being left aside.

The Russian State security department commissioned four hackers to infiltrate Yahoo to

acquire insight of information on the United States citizen, among them being two Russian spies.

Later the FBI revealed their identity as Alenkey Belan; a Latvian, Karim Baratov; a Canadian,

Dmitry Dokuchaev; a Russia, and Igor Sushchin, who was a Russia. These four hackers were

responsible for the 2014 Yahoo data breach. Law enforcement intervened, having Karim Baratov

indicted in 2017 for the yahoo hack and other related cybercrimes. The criminal justice system

subjected him to a five years imprisonment and a fine of $250,000. The other three members

have not yet been indicted, although they still make the FBI’s top list of the most wanted

criminals (Kolevski et al., 2021).

How they got into Yahoo’s database

It was the year 2014 when spear-phishing attacks were sent to several staff members at

Yahoo through email. Eventually, a staff member fell victim to the attack and initiated the data

breach process, allowing Aleksey Belan, a Latvian unethical hacker, to infiltrate the Yahoo server

by injecting malware into the server through the phishing email. This act sparked a series of

other exploitative manoeuvres that had severe consequences throughout the Yahoo organization.

Once Belan was in, he started testing the system to access two main pieces of information;

Yahoo’s user database and the AMT (Account Management Tool). Yahoo manages user accounts,

such as updating account passwords and other account information.

 4

How they maintained access for two years

Belan was successful in his endeavour. However, to keep getting access to Yahoo’s

server, he installed a crafted malware that gave him backdoor access to Yahoo’s server. After

confirming that the server has valuable information that he and his crew could exploit

maliciously. Once they had access to the server, they installed other malware to keep them

hidden and under the scanner radars. They did this to be undetectable while still within the

server.

Case Analysis
Yahoo’s three billion users had their information stolen. Among the data illegally

acquired by the Russian hackers were: the official names of the users, passwords, backup email

addresses, security questions, phone numbers, and dates of birth associated with other accounts.

Additionally, this event echoes the cyber-attack on the Maxx corporation in the United States that

ranked as one of the most significant data breaches in history (Saleem & Naveed, 2020). Data

stolen by the hackers was availed for sale on the dark web, making the data breach critical.

As a requirement of the U.S. Securities and Exchange Commission (SEC), companies are

expected to submit a summative report to the (SEC) and make known the company’s progress

and milestones to the involved stakeholders (Spinello, 2011). The most devastating matter is that

it presented false information denying the occurrence of the breach in the 8-k form, a denial that,

when combined with the non-disclosure, led to the deterioration of Yahoo’s brand together with

its financial reputation. Their stocks decreased, money in the magnitude of billions was lost in

market capitalization and affected their contact with Verizon

 5

Technical aspects of the case

Yahoo uses a vital password-based essential derivative function known as B-crypt, which

is difficult for hackers to crack. The primary goal of the B-crypt mechanism was for it to be a

memory-hard problem that was resistant and resilient against brute force attacks. However, two

years after the hacking announcement, it was discovered that not all Yahoo’s staff had their

passwords encrypted using the B-crypt mechanism. This was a security threat as it was difficult

to quantify the number of workers who did not have their passwords encrypted using B-crypt.

Password hashing algorithms keep being upgraded.

Before using B-crypt, Yahoo was once using MD5. However, the weakness comes in that,

for users to upgrade their password to the current hashing mechanism, they must first change

their current password. Changing the password makes the password inherit the new hashing

algorithm. However, most users rarely change their passwords and therefore remain using the old

and outdated password protection mechanism. With some users still using the easy-to-crack

password, accessing people’s private details becomes easy.

The attack began with a spear-phishing email sent by the attackers to one of Yahoo’s

employees. Phishing emails are malicious emails formulated by an attacker and sent to their

target who, upon falling for the deception, clicks the email, making their personal information

and other valuable records visible to the hacker. What makes a phishing attack more lethal is that

it only takes a successful attack of one of the victims to be able to compromise the entire server.

Therefore, despite sending the email to several Yahoo employees, the attackers all it takes for one

of them to fall victim to the attack.

 6

The attackers installed cookies on the system, enabling them to activate a backdoor that

allowed them to have unlimited access to the server remotely. Backdoors can be installed

through hardware or software, and based on the attack, the backdoor was installed inform of the

software since the attackers were not given any physical access to the server. Besides

maintaining access to the server, backdoors can also be used as the ground or basis for more

attacks such as port binding. These happen undetectably, with attackers getting in and out of the

server whenever they like.

When users normally log in to their Yahoo email account, the server manages the session

by creating a cookie to authenticate the user. The cookie is then sent back and forth from the

server to the user’s web browser, keeping them logged in as long as they use their account. The

session cookies are stored locally on the computer’s hard drive and prevent the user from

multiple login attempts each time the web page reloads. The hackers generated a live session in

yahoo’s server to target the users’ account information to enable the hackers to gain access to the

account without the need for login credentials.

The strategy of the attack

In 2014 there were the first instances of a possible data breach, and in the same year,

Yahoo went to the FBI with the details of the attack, whereby the information was not enough for

Yahoo to suspect that the data breach was from a state attack. In 2015, Cookies were generated

on Yahoo servers, and this malpractice continued into 2016. In August 2016, the full scale of the

breach became apparent. That proved that the attackers could remain virtually invisible for that

long, giving the sense that the attack was well-coordinated and well-funded. In December 2016,

Yahoo finally decided to go public with the information about the breach. As a result, Yahoo lost
 7

a significant amount of public trust; its brand image was tarnished because more than one billion

accounts were compromised.

How the attack was a systematic problem

One of Yahoo’s employees failed to observe security protocol such as installing anti-

phishing malware detectors in their system and fell victim to the attacker’s plan, jeopardizing the

entire system. Yahoo is still recovering to this day after one billion accounts were compromised.

The scale of data breaches for other brands such as LinkedIn, AOL, eBay, and Tumblr was

minimal compared to Yahoo. They lost their brand and customer base. Yahoo revised the security

policies with the CEO of Yahoo; at that time, Morrison Mare doubled the amount of security

staff and invested roughly two hundred and fifty million dollars in security initiatives. One of the

security investments was the creation of redTeam, a team of paid ethical hackers who circulate

the server looking for any vulnerabilities that could lead to another data breach.

One of the main contributing issues that led to Yahoo failing to return from the attack was

the percolated communication issue between different Yahoo components. Some parts of the

company understood an ongoing attack as early as 2014 but said nothing. Ironically, other

company parts were in information darkness with minimal awareness of the attack until too late.

The Yahoo data breach remained a mystery until 2016. According to McAndrew, Verizon and

yahoo engaged in a business talk in 2016 to discuss how Yahoo would sell its business operations

to Verizon. In the talk, yahoo concealed information concerning the 2014 data breach and only

disclosed information that would not cause much of a concern to Verizon. As exhibited in the 8-k

form that yahoo filed on July 25, 2016, yahoo filed the stock purchase agreement filling in false

information about the data breach and misrepresenting the actual occurrences of the attack.
 8

However, new Yahoo’s CISO (Chief Information Security Officer) later disclosed the accurate

information to Verizon.

Case Implications
The hackers, supposedly sponsored by Russian security military services, harvested 500

million user accounts, including passwords and recovery emails, a Nevada gaming official, a

senior officer of a U.S. airline, and a French transportation company CTO. This hacking

malpractice went on from 2014-to 2016. In late 2016, Yahoo made a bold decision and

publicized the information of the attack. The offenders were indicted in 2017. For two years was

under an enormous amount of continuous exploitation without their consent.

With access to this critical and private information, they checked for domains in the

recovery email address that they wanted to target. They exploited the email addresses to find

other outside and related accounts so they could apply the “I forgot my password” function to

forge their access to these email accounts. For example, if a user had a separate account from

Yahoo, its password would be bypassed by simply using the “I forgot password” feature and

trying either the security question associated with the Yahoo account or the recovery email

address, the Yahoo mail.

In late 2014 (the month of December, to be specific), Belan made the next move of the

attack and downloaded the data from the server and transferred it to his personal computer. In

doing so, Belan and the other three members had access to the information of almost every

Yahoo user, including their recovery emails and password recovery questions. The dire

implications of this act are that, even if the users updated their yahoo information on the server

remotely, the hackers still had the users’ information and were in a position to initiate another

series of attacks on the compromised yahoo users (Chatterjee et al., 2019).

 9

Existing measures to prevent such an attack

Yahoo has implemented a method to reinforce database security by using robust password

hashing algorithms. Using techniques such as B-crypt and MD5 to encrypt password make it

hard for hackers to penetrate the server or user accounts. Additionally, Yahoo uses password

verification methods whereby, after entering the password, a user has to perform a verification

process to confirm that it is the proper user login into the account. This method is safe when

someone attempts to perform an authorized login; a verification code is sent to the account’s

original owner. The owner can approve the login and report it to the yahoo security management

team as a malicious activity, and security actions are taken upon the infiltrator.

It is a collective responsibility of both the service provider (Yahoo) and the general

account users to strengthen the security and keep malicious attackers at bay (Daswani & Moudy

Elbayadi, 2021). The users can prevent others from noticing their login details. Suppose someone

uses public means to access the internet. In that case, a step such as using data encryption

methods such as a virtual private network (VPN) prevents personal information such as credit

card numbers, official names, location, and social security numbers from being accessed

remotely by hackers. In doing so, cybercrimes such as identity theft are controlled.

The criminal justice system plays a significant role in curbing cyber security attacks.

Using high fines and more extended periods of imprisonment scares away malicious activities. If

someone is caught trying to gain authorized access to someone’s account, they should be

exposed to harsh disciplinary actions that will scare away similar crime offenders. Additionally,

the criminal justice system should increase its responsiveness to reports so that once someone

reports a malicious activity, quick actions are taken.

 10

Conclusion
The data breach attack has brought the U.S. government to light that a foreign country’s

agency can and will hack into the server and accounts of U.S. companies, government bodies,

and citizens using weak system points of companies that hold sensitive information.

Additionally, the general public and account users are now aware that their information security

is an important aspect that should be considered. It might be just data, but there are limitless

ways malicious hackers can use the data to their advantage. State security should be toughened to

protect data integrity for the local citizens and the state from external attacks that may lead to

data and information breaches.

 11

References

Chatterjee, S., Gao, X., Sarkar, S., & Uzmanoglu, C. (2019). Reacting to the scope of a data

breach: The differential role of fear and anger. Journal of Business Research, 101, 183–

193. https://doi.org/10.1016/j.jbusres.2019.04.024

Daswani, N., & Moudy Elbayadi. (2021). Big breaches: cybersecurity lessons for everyone.

Apress.

Kolevski, D., Michael, K., Abbas, R., & Freeman, M. (2021). Cloud Data Breach Disclosures:

the Consumer and their Personally Identifiable Information (PII)? 2021 IEEE Conference

on Norbert Wiener in the 21st Century (21CW).

https://doi.org/10.1109/21cw48944.2021.9532579

Saleem, H., & Naveed, M. (2020). SoK: Anatomy of Data Breaches. Proceedings on Privacy

Enhancing Technologies, 2020(4), 153–174. https://doi.org/10.2478/popets-2020-0067

Shankar, N., & Mohammed, Z. (2020). Surviving Data Breaches: A Multiple Case Study

Analysis. Journal of Comparative International Management, 23(1), 35–54.

https://doi.org/10.7202/1071508ar

Spinello, R. A. (2011). Karol Wojtyla on Artificial Moral Agency and Moral Accountability. The

National Catholic Bioethics Quarterly, 11(3), 469–491.

https://doi.org/10.5840/ncbq201111331