Yahoo’s Three Hacks

As a number of outlets have reported, Yahoo has announced that 500 million of its users’ accounts got hacked in 2014 by a suspected state actor.

But that massive hack is actually one of three interesting hacks of Yahoo in recent years.

2012 alleged Peace affiliated hack

In August, Motherboard reported — and reported to Yahoo — that the hacker known as Peace, who may have ties to Ukrainian and/or organized crime and also sold the MySpace and Linked In credentials, was selling credentials from what he said were 200 million accounts hacked in 2012. But when Motherboard tried to verify the data, some of it came back as out of date or invalid.

According to a sample of the data, it contains usernames, hashed passwords (created with md5 algorithm), dates of birth, and in some cases back-up email addresses. The data is being sold for 3 bitcoins, or around $1,860, and supposedly contains 200 million records from “2012 most likely,” according to Peace. Until Yahoo confirms a breach, however, or the full dataset is released for verification, it is possible that the data is collated and repackaged from other major data leaks.

[snip]

Motherboard obtained a very small sample of the data—only 5000 records—before it was publicly listed, and found that most of the two dozen Yahoo usernames tested by Motherboard did correspond to actual accounts on the service. (This was done by going to the login section of Yahoo, entering the email address, and clicking next; when the email address wasn’t recognised, it was not possible to continue.)

However, when Motherboard attempted to contact over 100 of the addresses in the sample set, many returned as undeliverable. “This account has been disabled or discontinued,” read one autoresponse to many of the emails that failed to deliver properly, while others read “This user doesn’t have a yahoo.com account.”

2014 state actor hack

Yahoo claims it discovered the 500 million user hack in its investigation of the Peace allegations in August. The details being released now, in particular the encryption used with the account, vary from what Peace claimed in August.

A source familiar with the investigation told Motherboard on Thursday that, although no direct evidence was found to support Peace’s claims, Yahoo conducted a broader investigation, and during that time, they found the attack from what they described as a state-sponsored actor in 2014. The source declined to provide any evidence that the attack was state-sponsored, but said that the company strongly believed it to be the case.

According to Yahoo’s announcement, the majority of passwords were hashed with the strong hashing function bcrypt, meaning that hackers will have a much harder time at obtaining many users’ real passwords. The source claimed that only a very small percentage of password hashes were not bcrypt.

Note, while Yahoo is claiming this was a hack done by a state actor, it has not said what state actor.

Also, Yahoo appears to be suggesting that Peace’s claim he had Yahoo credentials was not true. Though, given that Yahoo is being acquired by Verizon at the moment, they would have an incentive to claim they didn’t know about this massive hack earlier.

2016 individual hack tied to DNC

Finally, an individualized hack of a Yahoo user — DNC consultant Alexandra Chalupa — was an independent source of the claim that DNC hackers might have ties to Russia or Ukraine. While the hack was evident from emails released by WikiLeaks, Chalupa had worked with Yahoo’s Michael Isikoff previously and he added details explaining her suspicions about the timing.

“I was freaked out,” Chalupa, who serves as director of “ethnic engagement” for the DNC, told Yahoo News in an interview, noting that she had been in close touch with sources in Kiev, Ukraine, including a number of investigative journalists, who had been providing her with information about Manafort’s political and business dealings in that country and Russia.

“This is really scary,” she said.

[snip]

Chalupa’s message, which had not been previously reported, stands out: It is the first indication that the reach of the hackers who penetrated the DNC has extended beyond the official email accounts of committee officials to include their private email and potentially the content on their smartphones. After Chalupa sent the email to Miranda (which mentions that she had invited this reporter to a meeting with Ukrainian journalists in Washington), it triggered high-level concerns within the DNC, given the sensitive nature of her work. “That’s when we knew it was the Russians,” said a Democratic Party source who has knowledge of the internal probe into the hacked emails. In order to stem the damage, the source said, “we told her to stop her research.”

A Yahoo spokesman said the pop-up warning to Chalupa “appears to be one of our notifications” and said it was consistent with a new policy announced by Yahoo on its Tumblr page last December to notify customers when it has strong evidence of “state sponsored” cyberattacks.

Significantly, this story, at least, claims this (and not cyber consultant CrowdStrike) is where DNC certainty that the hack was perpetrated by Russians came from.

Note that Chalupa’s Yahoo address was also affected in the Linked In hack, which exposed a simple password.

For now, I’m just presenting these three separate hacks as data points of interest.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

4 replies
  1. Stephen says:

    What I would like to know is why are we only now hearing about it even though it has now been two years since the 2014 state actor hack. Some sites are now recommending Yahoo users need to change their Yahoo passwords & other details ASAP, but while that still needs to be done it seems a little late for that if two years have gone by since that hack. (By that I mean the aim of changing passwords is to prevent damage or further compromises or thefts.)

  2. Evangelista says:

    A number of years ago I was doing a significant amount of intercontinental emailing.  Because of its international presence I was using Yahoo! email for a substantial portion.  Nothing I emailed was politically or economically significant, but I tended (or tend) to comment on amusing (to me) topics of the day, usually making amusing (to me) comments or critiques.  In some of these, before The Age of Panic, meaning before 09/11/01, I commented in regard to atomic science and what is called “depleted uranium” munitions (in which the depleted uranium is an inert ingredient whose function is to control the reaction-rate of live isotopes, to produce a nuclear “flame-front” sufficient to maintain combustion in metalic armor [vaporizing it to plasma] for the duration of a penetration [until the remnant exits, running out of metal fuel, or the reactive nuclear isotope maintaining the atomic “flame” is exhausted).  The slowing of the nuclear combustion from free chain-reaction to a kinetic energy maintained “flame-front”, effected by the depleted uranium in “depleted uranium penetrators” that makes them effective as penetrators, as they are penetrating , like all slowing of al combustions from free full-speed to slower with lower temperatures, results in less complete combustion, and, therefore, more not fully converted (burned to final ‘clean’ form, pure ash) byproduct (soot, creosote, charcoal/coke, gas in chemical combustion, hot fall-out pollution, plutonium et al, in nuclear combustion), wherefore, although “depleted uranium munitions” work great, smoking straight through steel and depleted uranium (yes, the stuff is metal, like lead but slightly denser, and is used for armor, too, [tank turrets and such] being soft and kinetic-energy absorbent, hard to penetrate, except by combustion, and resistant to fracturing) and blows plasma (metal vapor, rather than liquid, meaning much higher temperature) out the other side where it exits, because of the nuclear “creosote” and “gas” being highly radioactive, and deadly for an extensive half-life, and widely dispersible as dust and particle in an extended, and extending, environmental area, use of the munitions needs to be banned.  They work so well, however, that those who use them (the U.S. and its allies, Britain, NATO, perhaps some others) not only do not want them banned, they want them to remain NOT classified ‘Nuclear Weapons”, which would bring them under all kinds of pesky rules and regulations and controls.

    For this those who want to use the munitions dismiss those who question the use of them and roll their eyes heaving great sighs when the questioners suggest the munitions may produce more radiation, radiation damage and radiation sickness than the “old lead-based house-paint” that the munitions are regularly compared to for ‘radiation level’ (which is correct for the munitions in storage and magazines, and even after they are shot, before they hit something their active isotope component can set on fire and so, itself, burn).  These defenders get really pissed-off when someone explains how the munitions work and how they are able to do what they do, which I do, since it seems to me somebody needs to.  Which is one reason you had to slog through the preceding mini-essay to get to here.

    Here is where I return to Yahoo! and Yahoo! mail and my use of Yahoo! Mail for international email, and shortly after I emailed some off-hand explanation, similar to the above using Yahoo! Mail.  My Yahoo! email provider suddenly changed, almost imperceptibly.  It changed from Yahoo! dot com to Yahoo! dot co.

    The reason was, of course, that United States law, which The Powers, back then, were not yet sure they were in power securely enough they could simply blow off, prohibited getting into people’s private communication properties.  But British law did not…  Isn’t that cool?  Good ol’ Michael Hayden, at, if not in charge of the NSA back in those days, could keep his hands clean, and remain legal, not digging through my emails, by having Yahoo! switch my account to a .co, and so Britain-based account and having the friendly folk at GCHQ vac the account, legally, and send him, and everyone else in the U.S.A. copies, legally…

    I suspect that in 2012 and ’14 it began to look to Yahoo! as if this practice might be coming up to scrutiny, and the open access to hundreds of millions of Yahoo! accounts by GCHQ, a “State Actor”, might require some arse-covering explanation.

    As for me, if anyone is interested, I still have a couple of Yahoo! accounts, I think, but I no longer use email for any non pin-it-on-the=bulletin-board communicating, I am still a pain in the arse, covered or uncovered, to those who find me so, and I still, as demonstrated above, gratuitously explain depleted uranium penetrator munitions, and why they are nuclear weapons.

  3. blueba says:

    I’m just wondering if anyone else thinks it is impossible to stop hacking and/or spying through digital technology and the internet. It seems to me that the internet has been despoiled just as our physical environment for profit. During the gold rush at the beginning, corporations and other forces built software as quickly as possible and, I was living in SF during the 1990s, there wasn’t even any talk of security. The software was sloppy, short cuts were made, there was only a token security budget, and now the internet is filled with junk software, garbage code and is so despoiled by this it is now beyond repair. Also, of course there is malicious code put there deliberately too. However, it is garbage left behind as the internet was strip mined for profits, just as BA in the Gulf of Mexico and the burning of the Amazon for profit have damaged our physical environment so too has the garbage left behind by Microsoft and a many other companies is what we must contend with today. So it was sloppy coding, greed and spying combined which have damaged the internet probably beyond repair.

Comments are closed.