Breaking news:
ADVERTISEMENT
ADVERTISEMENT
RADP / Pulse Nigeria  >  BI  >  Tech

This is how Russian hackers broke into millions of Yahoo accounts without passwords, according to the FBI (YHOO, VZ)

pulse

The Russian hackers used fake cookies to get into millions of Yahoo accounts, according to

null
null

Russian spies and hackers teamed up to break into thousands of Yahoo accounts, the US Department of Justice said on Wednesday.

You can read the announcement of the indictment here.

The breach involved more than 500 million stolen Yahoo accounts, representing one of the biggest hacks of all time.

ADVERTISEMENT

Essentially, the hackers managed to get hold of a secret directory that contained Yahoo usernames, encrypted passwords, and other information. They then used that data to trick Yahoo into thinking their web browsers were already logged into Yahoo's online service — a clever technique that meant they never needed to actually decrypt any passwords.

The stunt involved targeting specific accounts and creating fake web credentials to impersonate them. In the shady world of hacking, this is a fairly routine method of attack. But it got the job done.

Here's how it worked, according to the details provided in the Justice Department's announcement of the indictment, which was the result of an investigation conducted by the FBI.

The key step, says the department, is that the notorious hacker Alexsey Alexseyevich Belan got access and "stole a copy of at least a portion" of Yahoo's user database.

ADVERTISEMENT

The real jackpot in the database turned out to be "information required to manually create, or 'mint,' account authentication web browser 'cookies,'" the indictment said.

When you visit a website, it leaves a tiny file behind on your computer called a cookie. That cookie contains certain information about you, including whether you're logged in and, if so, with which account.

When you revisit a website, the site checks to see if you have a valid cookie and whether the cookie has expired.

The hackers essentially got Yahoo's cookie recipe with the directory information they stole. This meant they could create fake cookies for any account they wanted. The fake cookies basically fooled websites like Yahoo Mail into thinking that a user was already logged in. The result was full access to that particular account, no password required.

ADVERTISEMENT

Using this method, the hackers broke into 6,500 targeted accounts, including those of Russian journalists and politicians, the Justice Department said. The hackers also used access to 30 million accounts to "facilitate a spam campaign," the department said, presumably to make some extra cash off the heist.

It's a scary example of how everything can fall apart with one breach, even if a hacker never knew your password.

pulse

Enhance Your Pulse News Experience!

Get rewards worth up to $20 when selected to participate in our exclusive focus group. Your input will help us to make informed decisions that align with your needs and preferences.

I've got feedback!

JOIN OUR PULSE COMMUNITY!

Unblock notifications in browser settings.
ADVERTISEMENT

Eyewitness? Submit your stories now via social or:

Email: eyewitness@pulse.ng

ADVERTISEMENT
ADVERTISEMENT