2014 Yahoo Hack: How one click compromised 3 billion?

In 2014, Yahoo approached the FBI when they noticed a puzzling situation:

A nation state actor is able to login into multiple Yahoo accounts without any evidence of individual account compromise!

What started as this led to unearthing of a cyberattack that impacted 3 billion accounts.

This is the story of world's biggest data breach (in numbers). Read on.

𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄:

1. Attacker sends a spear phishing email to a Yahoo employee > Employee falls for it > Device compromised > Attacker gets inside the corporate network.

2. Attacker recons the network > Discovers User database (one that contains entire Yahoo users information).

3. Attacker uses stolen creds from the network and gets access to User database.

4. To maintain persistence, attacker installs a backdoor on a Yahoo server > Few months later, using this access, attacker sets up FTP channel and steals a backup copy of Yahoo’s user db.

5. The database contained cryptographic values that could be used to generate cookies > Attacker now creates forged access cookies for specific user accounts > Accesses 6500 targeted accounts without passwords over 2 years!

Key Insights:

1. If you think about it, that 1 single click has led to the compromise of 3 billion accounts! There's nothing more important than protecting your user identities through all means - MFA, Phish-resistant creds, email filtering and so on.

2. Cookie/Token minting is the "holy grail" for attackers. When a user successfully authenticates, a cookie is dropped on users machine. If a hacker learns how this cookie value gets generated (the 'secret sauce') and they know the ingredients of that sauce (cryptographic secrets), they can generate the cookie for any user and log in as any user. Ensure both the sauce and the ingredients are highly protected.

3. After initial access, the attacker did not immediately pull the trigger. They studied the network, created backdoors for secret entry in future, moved laterally etc. All of this over 2 years. This is like the difference between a common burglar vs a master thief meticulously planning a heist. When facing a nation-state actor, it's beneficial to understand their methods and adopt a long-term strategy.

4. In this case, FTP was used to exfil the several GBs of data from the database server. Today, there are many other ways to exfil beyond FTP. While everything cannot be 'fully controlled', detecting abnormal events, disallowing risky scenarios and having right level of logs when investigation is required is the key.
   

5. Reputation is fragile. It takes 20 years to build a reputation and one security incident to ruin it. The breach not only impacted user's trust but also affected Yahoo's acquisition by Verizon, reducing the sale price by $350 million.
   

6. The cryptographic values (nonces) associated with users changed when users changed their passwords. And so the attacker-generated-cookies would fail whenever they targeted an account with a change after the database was stolen. Those failed cookies and attempts were logged by Yahoo's systems. Beyond this there is no published information on ‘exactly’ how this was identified first.

Happy Learning!