The FBI says hackers used social-engineering techniques on a “semi-privileged” Yahoo employee to break into the company’s systems and access 500 million user accounts.
In an interview with Ars Technica, FBI agent Malcolm Palmore said the hackers were able to use a “spear phishing” email to gain the Yahoo employee’s credentials. Spear phishing emails can encompass various techniques designed to trick the recipient into giving up his or her personal information. Phishing emails usually appear to come from a trusted source.
One of the best-known recent cases of phishing was when John Podesta, the campaign manager for Hillary Clinton’s 2016 presidential run, fell victim to such an email, causing his private messages to leak.
The US Department of Justice released an indictment Wednesday charging two Russian intelligence agents and two others in connection with the 2014 hacks that compromised 500 million Yahoo user accounts. The DOJ says the two members of Russia’s FSB intelligence agency, Dmitry Dokuchaev and Igor Sushchin, “protected, directed, facilitated, and paid” the other two hackers to break into the Yahoo accounts.
The attack was separate from another one in 2013 that compromised 1 billion Yahoo accounts; no one has been blamed for that attack yet.
So what did the hacker do upon gaining access? Read more about the timeline of the data breach here.