Russian spies and hackers teamed up to break into thousands of Yahoo accounts, the US Department of Justice alleged on Wednesday.
You can read the indictment here.
The breach involved more than 500 million stolen Yahoo accounts in total, representing one of the biggest hacks of all time.
So how did the Russian hackers do it?
Essentially, the hackers managed to get hold of a secret directory that contained Yahoo user names, encrypted passwords and other information. They then used that data to trick Yahoo into thinking their web browsers were already logged into Yahoo’s online service — a clever technique that meant they never needed to actually decrypt any passwords.
In practice, the stunt involved targeting specific accounts and creating fake web credentials to impersonate them. In the shady world of hacking, this is a fairly routine method of attack. But it got the job done.
Here’s how it worked, according to the details provided in the FBI’s indictments.
Yahoo’s Yellow Pages and Fake Cookies
The key step, says the FBI, is that notorious hacker Alexsey Alexseyevich Belan got access and “stole a copy of at least a portion” of Yahoo’s User Database (UDB).
Think of the UDB as a sort of central directory, or Yellow Pages, of all Yahoo users. It contains usernames, encrypted passwords, and other personal information. The UDB is a secret file, that’s obviously not meant to be accessible to the public.
The real jackpot in the UDB turned out to be “information required to manually create, or ‘mint,’ account authentication web browser ‘cookies,” the FBI says.
What does it mean to ‘mint’ a cookie?
Whenever you visit a website, it leaves a tiny file behind on your computer, called a “cookie.” That cookie contains certain information about you, including whether or not you’re logged in, and if so, with which account.
When you revisit a website, the site checks to see if you have a valid cookie, and whether or not the cookie has expired.
Many websites let users choose to stay logged in for as long as 30 days, with the cookie expiring thereafter. As long as the user’s cookie hasn’t expired, the user doesn’t ever need to enter a password to log in (assuming they’re using the same computer and browser). The site reads the cookie and thinks the user is already logged in.
The hackers essentially got Yahoo’s cookie recipe with the directory information they stole. This meant they could create fake cookies for any account they wanted. The fake cookies basically fooled websites, such as Yahoo Mail, into thinking that a specific user was already logged in. Result: full access to that particular account, no password required.
Using this method, the hackers broke into those 6,500 specific targets, including Russian journalists and politicians, say prosecutors. The hackers also used access to 30 million accounts to “facilitate a spam campaign,” presumably to make some extra cash off the heist.
And the breach got beyond Yahoo: Using access to their Yahoo accounts, the hackers were able to get the password recovery emails for 18 of those targeted users and get access to their Google or other accounts.
It’s a scary example of how everything can fall apart with one breach, even if they never even know your password.