10 Years After Yahoo Breach, What's Changed? (Not Much)

In September 2016, Yahoo copped to a breach of 500 million user records. Even today it's one of the top five biggest data breaches in history by sheer volume, yet it's only Yahoo's second biggest.

Andrew Komarov already knew by September of that year that Russian cybercriminals were in possession of hundreds of millions of Yahoo accounts. The Arizona-based CIO told the press at the time that a posse called "Group E" was selling the accounts en masse on the Dark Web at a price tag of $300,000. What he only learned later is that the contents of that breach, and the data being sold by Group E, were inconsistent. In fact, he'd been tracking an entirely separate breach, which turned out to have compromised three billion accounts, making it four times larger than the second largest data breach in history.

Even that wasn't the whole story. By that point, yet more cybercriminal entities — and intelligence agencies belonging to at least three separate nations — had been running loose inside of Yahoo's IT systems for years.

A batch of 200 million Yahoo accounts for sale on the Dark Web. Source: Vice Motherboard

The unprecedented breadth of Yahoo's security failures might have served as a wake-up call for the cybersecurity industry. Instead, experts warn that the underlying issues that enabled those events are still very much present in the Internet of 2024.

Recalls Gigamon CSO Chaim Mazal, who was asked to help Yahoo during its crisis but declined, "As someone who has been in the industry long enough to see this breach and the subsequent disclosures unfold in real time, it's amazing to think of how much time has passed since then, and how little progress we've made as an industry."

The Security Shortcomings a Decade Hasn't Resolved

"Though the Yahoo breaches occurred 10 and nine years ago, most organizations worldwide are as susceptible as Yahoo to three core issues," says Jasson Casey, CEO of Beyond Identity.

The first significant point, he says, was the means of the second attack (how the first occurred is unknown, thanks to missing logs). With a standard phishing email to a mid-level employee, Russian hacker Alexsey Belan gained initial access to Yahoo's IT systems. Then, according to a Department of Justice indictment, he and his FSB conspirators were able to gain access to any accounts they wished using a simple tool for forging cookies.

"There are two reasons this should be difficult to do. First, the value shouldn't be predictable. Second, these values shouldn't be vulnerable to disclosure to the adversary," Casey explains, before asking, rhetorically: "How often do you suppose both of these principles are adhered to by typical companies' Web developers building authentication into their applications?"

The second overarching parallel to today concerns how both the company and its users handled authentication data. Yahoo had encrypted some of its users' passwords with the defunct MD5 algorithm, and some security questions were left unencrypted. Users, meanwhile, were and still are guilty of password reuse. Perhaps because each of us has hundreds of online accounts, passwords remain as fraught today as ever. "Passwords are fundamentally flawed," Casey says. "Most multifactor authentication (MFA) techniques do not remove this risk, they only worsen the user experience. The only form of authentication that prevents this attack and protects the end user is phish-resistant multifactor authentication that does not rely on passwords."

Finally, he says, "there was a lack of commitment to protecting customers and governance of corporate security concerns." The list of Yahoo's offenses in this respect is long. Perhaps most famous was the company's stint with Alex Stamos, a high-profile consumer scientist Yahoo hired as CSO in 2014 on the premise of shaking things up, who in the end was nerfed and ignored.

"They hired Stamos only to lose him less than a year and a half later due to a lack of commitment to the security mission and, ultimately, governance at the board level. How similar is this story to the typical enterprise or business today?" Casey asks, with an air of sarcasm. (Specifically, Stamos resigned after learning that his CEO had secretly authorized a custom-built software tool enabling federal officials to read users' emails.)

The Good News: More Oversight After Yahoo's Breach

For everything that remains broken, there is one crucial part of Yahoo's story that simply would not fly now.

"The real takeaway is the pivotal shift it triggered in how companies handle data privacy and corporate accountability," posits AJ Yawn, partner-in-charge of product and innovation at Armanino.

Yahoo, you see, hadn't merely failed to adequately secure its data and let intelligence agencies spy on users. It missed or outright suppressed multiple data breaches that it suffered — including multiple smaller-scale cases before 2013, and the larger Operation Aurora. And a 10-K filing from 2017 revealed "that the Company's information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016."

Yahoo hid this information from Verizon during buyout negotiations in 2017 — and when it came to light, the deal valuation was significantly reduced. And the CEO declined to prompt users to reset their passwords, for fear they'd leave for other email services. All this, despite the threat to hundreds of thousands of US government and military personnel.

For such wanton oversights, the SEC fined Yahoo $35 million. Though that sum is relatively paltry, Yawn says, it was a statement. "The SEC's action against Yahoo for failing to adequately disclose the breach was a watershed moment. It underscored the importance of transparency and stakeholder communication during cyber incidents," he emphasizes.

Nowadays, the SEC requires companies to disclose such breaches within four days of discovery. "Recent SEC actions and regulatory developments elevate cybersecurity from a technical issue to a board-level concern with real consequences for negligence," Yawn says. "So, while some details may be antiquated, the Yahoo breaches’ legacy endures, highlighting the integral role of cybersecurity in corporate governance."