Let’s go back to the year 2013… Bungled government health care, the Boston Marathon and Edward Snowden were all in the news. Twitter filed for IPO, and Bitcoin started booming. At the same time, hackers pulled off a massive cyber attack that would see the exposure of sensitive information for over one billion users.
But this cyber attack would not be reported until three years later.
Yahoo, an American internet, media and online services company, reported in 2016 that “state sponsored” actors breached company databases and accessed user information for more than one billion accounts. The compromised information included names, email addresses, telephone numbers, dates of birth and unencrypted security questions that could be used to reset user passwords.
In a statement on the company blog, Chief Information Security Officer Bob Lord said that hackers devised a way to forge authentication cookies and access user accounts without knowing a user’s password. A forged cookie would also have allowed an attacker to remain logged in indefinitely to an unknowing user’s account.
Using this method, all applications and sites associated with Yahoo accounts could have been compromised and/or accessed by hackers, including Yahoo Email, Yahoo Finance, Flickr and Tumblr.
What was the fallout?
Yahoo was forced to notify all users of the breach and reset passwords for ALL three billion user accounts. At the time of the disclosure, Verizon Communications was under contract to purchase Yahoo and all its assets, but Verizon later cut $350 million from their offer price. Yahoo was also faced with several shareholder lawsuits after the breaches were made public.
Cybersecurity experts warned all Yahoo users to be on the lookout for email fraud and account takeovers. With the stolen data, criminals gained a higher chance of accessing financial accounts, in the case that users provided a Yahoo email address for the accounts. Experts also cautioned the public against using the same password and username on different sites and services.
How did the attack happen?
This attack may have been possible through the examination of Yahoo’s proprietary source code, stolen in a separate attack. By viewing the Yahoo source code, the attackers figured out how to create session cookies, allowing them to view account details without having to log in or know a user’s password.
What can you do to protect your data in the case of data breaches?
Use unique passwords
Use unique passwords for different sites and services, especially for banks and financial institutions. Try to use unique usernames for each site as well. Get a good password manager to keep track of your info.
Watch for suspicious account activity
Be on the lookout for suspicious account activity. Monitor your accounts for recent logins. Many services will show an alert for suspicious activity or unexpected logins, so keep an eye out for these notices.
Use two-factor authentication
Require that your most important accounts use two-factor authentication through your phone, SMS message or another email account. This will prevent someone from accessing your account using just a username/password combination.
Check if your information has been compromised
Find out if your data was exposed in a data breach. Use a tool like Firefox Monitor or HaveIBeenPwned.com.
The 2013 Yahoo data breach is just one of many security incidents at the company. Other attacks include 500 million accounts lost due to email phishing in 2014 and the potential compromise of all three billion user accounts, disclosed in 2017. Up until now, these are the largest known and discovered cyber attacks of all time.
New cyber attacks and data breaches can happen at any moment, so make sure to review your personal cybersecurity now.