A Canadian man has pleaded guilty to hacking charges related to a 2014 spear-phishing operation of Yahoo employees. The hack ultimately compromised 500 million Yahoo accounts.
The operative, Karim Baratov, appeared in a San Francisco federal court on Tuesday afternoon. He also admitted that his role was to “hack webmail accounts of individuals of interest to the FSB,” the Russian internal security service. Baratov then sent those passwords to his alleged co-conspirator, Dmitry Aleksandrovich Dokuchaev.
Baratov was indicted in late February 2017 along with three other men who remain in Russia.
The prosecutors said Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43—both officers of the Russian Federal Security Service—worked with two other men—Alexsey Alexseyevich Belan, 29, and Karim Baratov, 22—who were also indicted. The men gained initial access to Yahoo in early 2014 and began their reconnaissance, the indictment alleged. By November or December, Belan used the file transfer protocol to download part or all of a Yahoo database that contained user names, recovery e-mail accounts, and phone numbers. The user database (UDB) also contained the cryptographic nonces needed to generate the account-authentication browser cookies for more than 500 million accounts.
Belan also downloaded an account management tool (AMT) that Yahoo used to make and track changes to user accounts. Together, the pilfered UDB and AMT allowed Belan, Dokuchaev and Sushchin to locate Yahoo e-mail accounts of interest and to mint authentication cookies needed to access 6,500 accounts without authorization. The accounts belonged to Russian journalists, Russian and US government officials, employees of a prominent Russian security company, and employees of other Internet companies the indicted men wanted to target. Belan and Baratov also used their access to commit additional crimes, including by manipulating Yahoo search results to promote a scam involving erectile dysfunction drugs, stealing electronic gift cards, and sending spam messages to Yahoo users’ contacts.
Three billion Yahoo accounts — including email, Tumblr, Fantasy, and Flickr — or three times as many as the company initially reported in 2016 were hacked.
Names, email addresses, and passwords, but not financial information, were breached, Yahoo said last year
The new disclosure comes four months after Verizon (VZ, Tech30) acquired Yahoo’s core internet assets for $4.48 billion. Yahoo is part of Verizon’s digital media company, which is called Oath.
Verizon revised the number of breached accounts to three billion after receiving new information.
“The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft,” Verizon said in a statement.
Verizon would not provide any information about who the outside forensics experts are.
Yahoo will send emails to the additional affected accounts. Following the hacking revelations last year, Yahoo required password changes and invalidated unencrypted security questions to protect user information.
According to experts, it’s not uncommon for forensic investigations to expose a greater number of victims than initial estimates.
Once the proposed $4.8 billion sale to Verizon is completed, CEO Marissa Mayer announced she would resign from the company’s board and the company could even get a new name.
After the Verizon deal closes the company would be renamed Altaba
Yahoo admitted that back in 2014 there was a theft of 500 million accounts. However, Verizon who recently acquired Yahoo in July for $4.83 billion has not finalized the acquisition and says this is news to them, they’re just learning about this.
The hacking of yahoo account certainly comes at a bad time when Yahoo is in the process of selling its company to the mega giant Verizon. The hack, became known in August when an infamous cybercriminal named “Peace” said on a website that he was selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800. The data allegedly included user names, easily decrypted passwords, personal information like birth dates and other email addresses.
The notorious black hat says he has more than 200 million hacked Yahoo accounts for sale on the dark Web. Yahoo is refusing to comment on its veracity. Yahoo accounts are primarily used to log into the company’s webmail service, but also for other sites like Flickr. It is uncertain at this point whether Yahoo has itself been breached, but the account data has been publicly available on a Tor-accessible marketplace called The Real Deal since Monday, and is apparently being sold by a hacker known as Peace, who has previously been linked to large-scale sales of MySpace and LinkedIn account details in 2012.
The entire dump, which apparently contains usernames, hashed passwords created with the md5 algorithm, dates of birth, and occasional backup email addresses, can be bought for three bitcoins (roughly £1,360 or $1,813).
Yahoo recommends creating stronger passwords