- Adam Berry/Getty Images
Russian spies and hackers teamed up to break into thousands of Yahoo accounts, the US Department of Justice said on Wednesday.
The breach involved more than 500 million stolen Yahoo accounts, representing one of the biggest hacks of all time.
So how did the hackers do it?
Essentially, the hackers managed to get hold of a secret directory that contained Yahoo usernames, encrypted passwords, and other information. They then used that data to trick Yahoo into thinking their web browsers were already logged into Yahoo’s online service – a clever technique that meant they never needed to actually decrypt any passwords.
The stunt involved targeting specific accounts and creating fake web credentials to impersonate them. In the shady world of hacking, this is a fairly routine method of attack. But it got the job done.
Here’s how it worked, according to the details provided in the Justice Department’s announcement of the indictment, which was the result of an investigation conducted by the FBI.
Yahoo’s Yellow Pages and fake cookies
The key step, says the department, is that the notorious hacker Alexsey Alexseyevich Belan got access and “stole a copy of at least a portion” of Yahoo’s user database.
Think of the database as a sort of central directory, or Yellow Pages, of all Yahoo users. It contains usernames, encrypted passwords, and other personal information. The database is a secret file not meant to be accessible to the public.
The real jackpot in the database turned out to be “information required to manually create, or ‘mint,’ account authentication web browser ‘cookies,'” the indictment said.
What does it mean to ‘mint’ a cookie?
When you visit a website, it leaves a tiny file behind on your computer called a cookie. That cookie contains certain information about you, including whether you’re logged in and, if so, with which account.
When you revisit a website, the site checks to see if you have a valid cookie and whether the cookie has expired.
- Cloe Savino
Many websites let users choose to stay logged in for as long as 30 days, with the cookie expiring after. As long as the user’s cookie hasn’t expired, they don’t ever need to enter a password to log in, assuming they’re using the same computer and browser. The site reads the cookie and thinks the user is already logged in.
The hackers essentially got Yahoo’s cookie recipe with the directory information they stole. This meant they could create fake cookies for any account they wanted. The fake cookies basically fooled websites like Yahoo Mail into thinking that a user was already logged in. The result was full access to that particular account, no password required.
Using this method, the hackers broke into 6,500 targeted accounts, including those of Russian journalists and politicians, the Justice Department said. The hackers also used access to 30 million accounts to “facilitate a spam campaign,” the department said, presumably to make some extra cash off the heist.
It’s a scary example of how everything can fall apart with one breach, even if a hacker never knew your password.