In September 2016, Yahoo copped to a breach of 500 million user records.
Even today it's one of the top five biggest data breaches in history by sheer volume, yet it's only Yahoo's second biggest.
Rew Komarov already knew by September of that year that Russian cybercriminals were in possession of hundreds of millions of Yahoo accounts.
What he only learned later is that the contents of that breach, and the data being sold by Group E, were inconsistent.
He'd been tracking an entirely separate breach, which turned out to have compromised three billion accounts, making it four times larger than the second largest data breach in history.
By that point, yet more cybercriminal entities - and intelligence agencies belonging to at least three separate nations - had been running loose inside of Yahoo's IT systems for years.
A batch of 200 million Yahoo accounts for sale on the Dark Web.
The unprecedented breadth of Yahoo's security failures might have served as a wake-up call for the cybersecurity industry.
With a standard phishing email to a mid-level employee, Russian hacker Alexsey Belan gained initial access to Yahoo's IT systems.
According to a Department of Justice indictment, he and his FSB conspirators were able to gain access to any accounts they wished using a simple tool for forging cookies.
The second overarching parallel to today concerns how both the company and its users handled authentication data.
Yahoo had encrypted some of its users' passwords with the defunct MD5 algorithm, and some security questions were left unencrypted.
Perhaps because each of us has hundreds of online accounts, passwords remain as fraught today as ever.
Perhaps most famous was the company's stint with Alex Stamos, a high-profile consumer scientist Yahoo hired as CSO in 2014 on the premise of shaking things up, who in the end was nerfed and ignored.
The Good News: More Oversight After Yahoo's Breach For everything that remains broken, there is one crucial part of Yahoo's story that simply would not fly now.
Yahoo, you see, hadn't merely failed to adequately secure its data and let intelligence agencies spy on users.
Yahoo hid this information from Verizon during buyout negotiations in 2017 - and when it came to light, the deal valuation was significantly reduced.
The CEO declined to prompt users to reset their passwords, for fear they'd leave for other email services.
For such wanton oversights, the SEC fined Yahoo $35 million.
Nowadays, the SEC requires companies to disclose such breaches within four days of discovery.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 02 Jan 2024 14:00:44 +0000