This is how Russian hackers broke into thousands of Yahoo accounts without passwords, according to the FBI
Adam Berry/Getty Images
You can read the indictment here.
The breach involved more than 500,000 stolen Yahoo accounts in total, representing one of the biggest hacks of all time.
So how did the Russian hackers do it?
Essentially, the hackers managed to get hold of a secret directory that contained Yahoo user names, encrypted passwords and other information. They then used that data to trick Yahoo into thinking their web browsers were already logged into Yahoo's online service - a clever technique that meant they never needed to actually decrypt any passwords.
In practice, the stunt involved targeting specific accounts and creating fake web credentials to impersonate them. In the shady world of hacking, this is a fairly routine method of attack. But it got the job done.
Here's how it worked, according to the details provided in the FBI's indictments.
Yahoo's Yellow Pages and Fake Cookies
The key step, says the FBI, is that notorious hacker Alexsey Alexseyevich Belan got access and "stole a copy of at least a portion" of Yahoo's User Database (UDB).
The real jackpot in the UDB turned out to be "information required to manually create, or 'mint,' account authentication web browser 'cookies," the FBI says.
What does it mean to 'mint' a cookie?
Whenever you visit a website, it leaves a tiny file behind on your computer, called a "cookie." That cookie contains certain information about you, including whether or not you're logged in, and if so, with which account.
When you revisit a website, the site checks to see if you have a valid cookie, and whether or not the cookie has expired.
Many websites let users choose to stay logged in for as long as 30 days, with the cookie expiring thereafter. As long as the user's cookie hasn't expired, the user doesn't ever need to enter a password to log in (assuming they're using the same computer and browser). The site reads the cookie and thinks the user is already logged in.
The hackers essentially got Yahoo's cookie recipe with the directory information they stole. This meant they could create fake cookies for any account they wanted. The fake cookies basically fooled websites, such as Yahoo Mail, into thinking that a specific user was already logged in. Result: full access to that particular account, no password required.
Using this method, the hackers broke into those 6,500 specific targets, including Russian journalists and politicians, say prosecutors. The hackers also used access to 30 million accounts to "facilitate a spam campaign," presumably to make some extra cash off the heist.
And the breach got beyond Yahoo: Using access to their Yahoo accounts, the hackers were able to get the password recovery emails for 18 of those targeted users and get access to their Google or other accounts.
It's a scary example of how everything can fall apart with one breach, even if they never even know your password.
- Indian auto retail sector records 27% YoY growth in April: FADA
- Google has quietly launched the Pixel 8a in India starting at ₹52,999
- 5 amazing features Apple iPhone users get with iOS
- Rupee trades in narrow range against US dollar in early trade
- Cooling off in May: 10 cool destinations to visit in India this month
- Nothing Phone (2a) blue edition launched
- JNK India IPO allotment date
- JioCinema New Plans
- Realme Narzo 70 Launched
- Apple Let Loose event
- Elon Musk Apology
- RIL cash flows
- Charlie Munger
- Feedbank IPO allotment
- Tata IPO allotment
- Most generous retirement plans
- Broadcom lays off
- Cibil Score vs Cibil Report
- Birla and Bajaj in top Richest
- Nestle Sept 2023 report
- India Equity Market