Yahoo was the victim of a significant cybersecurity attack in 2013, it was the greatest known attack on their computer network. All three billion user accounts' sensitive information, including names, birth dates, phone numbers, and passwords, were accessed by cybercriminals. In addition, the hackers acquired backup email addresses and security questions, which were useful details for breaking into other accounts belonging to the same user.
The cyberattack seriously hurt Yahoo's reputation and business operations. The disclosure of the vulnerabilities almost averted the company's $4.48 billion (about $14 per person in the US) sale to Verizon. Due to the security breaches, Verizon dropped its original offer by $350 million. After the breaches were made public, Yahoo was subject to several shareholder lawsuits, which might have increased Verizon's financial obligations.
In addition, the attack had a serious negative effect on the impacted users. There was a higher danger of account takeovers and email phishing because many of the three billion Yahoo accounts belonged to customers who shared their login information across numerous websites, products, and services. The hackers might be able to access the victims' bank accounts thanks to the information they obtained.
The incident additionally impacted cybersecurity to a greater extent. The cybersecurity experts team advised that the breach highlighted the risks of using the same passwords frequently and underlined the significance of using stronger passwords from now on. It raised concerns regarding nation-state hacking and cyber warfare that the attackers were thought to be Russian and potentially connected to the Russian government.
In summary, both Yahoo and its customers suffered significantly because of the 2013 cyberattack on the Yahoo business. It highlighted the importance of security and the risks of password reuse. It brought up concerns alongside nation-state cyber monitoring and cyber warfare. To protect their business's operations and reputation, organizations must take proactive measures to protect their networks and stop cyberattacks.
2. Yahoo – Unauthorized Access Data Breach
Page 1 of 11
Table of Contents
Yahoo – Unauthorized Access Data Breach ..............................................................................................2
Incident Description.............................................................................................................................2
Indicators ............................................................................................................................................3
1. Possible indicators....................................................................................................................3
2. Probable indicators ..................................................................................................................3
3. Define Indicators......................................................................................................................3
Incident and Response Plan - During an Attack.....................................................................................4
1. Preparation..............................................................................................................................4
2. Detection and Analysis:............................................................................................................5
3. Communication:.......................................................................................................................6
4. Activation and Response: .........................................................................................................6
5. Containment:...........................................................................................................................6
Incident Response Plan - After an Attack..............................................................................................7
1. Eradication / Remediation:.......................................................................................................7
2. Recovery / Resolution: .............................................................................................................7
3. After-Action Analysis: ...............................................................................................................8
Incident Response Plan - Before an Attack............................................................................................9
1. Preventive Measures................................................................................................................9
2. Preparations of the IR Team .....................................................................................................9
3. Training the CSIRT ..................................................................................................................10
4. Selecting and Maintaining Tools .............................................................................................10
5. Training the Users...................................................................................................................10
6. Testing the IR Plan..................................................................................................................11
References:........................................................................................................................................11
3. Yahoo – Unauthorized Access Data Breach
Page 2 of 11
Yahoo – Unauthorized Access Data Breach
Incident Description
Yahoo was the victim of a significant cybersecurity attack in 2013, it was the greatest known attack
on their computer network. All three billion user accounts' sensitive information, including names,
birth dates, phone numbers, and passwords, were accessed by cybercriminals. In addition, the
hackers acquired backup email addresses and security questions, which were useful details for
breaking into other accounts belonging to the same user.
The cyberattack seriously hurt Yahoo's reputation and business operations. The disclosure of the
vulnerabilities almost averted the company's $4.48 billion (about $14 per person in the US) sale to
Verizon. Due to the security breaches, Verizon dropped its original offer by $350 million. After
the breaches were made public, Yahoo was subject to several shareholder lawsuits, which might
have increased Verizon's financial obligations.
In addition, the attack had a serious negative effect on the impacted users. There was a higher
danger of account takeovers and email phishing because many of the three billion Yahoo accounts
belonged to customers who shared their login information across numerous websites, products,
and services. The hackers might be able to access the victims' bank accounts thanks to the
information they obtained.
The incident additionally impacted cybersecurity to a greater extent. The cybersecurity experts
team advised that the breach highlighted the risks of using the same passwords frequently and
underlined the significance of using stronger passwords from now on. It raised concerns regarding
nation-state hacking and cyber warfare that the attackers were thought to be Russian and
potentially connected to the Russian government.
In summary, both Yahoo and its customers suffered significantly because of the 2013 cyberattack
on the Yahoo business. It highlighted the importance of security and the risks of password reuse.
It brought up concerns alongside nation-state cyber monitoring and cyber warfare. To protect their
business's operations and reputation, organizations must take proactive measures to protect their
networks and stop cyberattacks.
4. Yahoo – Unauthorized Access Data Breach
Page 3 of 11
Indicators
1. Possible indicators – Here are some the possible Indicator methods used for Yahoo.
• The high percentage of failed login attempts
• An increase in phishing attacks against Yahoo customers or employees
• Suspicious email behaviours, like a rise in the number of emails sent or received.
• Unexpected adjustments to user accounts
• Unknown authorization locations or network devices
• Network traffic patterns that are somewhat strange
2. Probable indicators – Here are some of the possible indicator methods used on Yahoo.
• An increase in Yahoo's distribution of security updates or patches
• Suspicious or strange traffic on network patterns originating from multiple places.
• Many reports of suspicious behaviour from different user's accounts
• Increasing instances of phishing attacks targeting employees
3. Define Indicators – Here are some of the definite indicator methods used on Yahoo.
• Exposing confidential user account information, e.g.
o Phone numbers
o Email addresses
o Occasions such as birthdays
o Security questions and responses
• Implications for Yahoo's reputation and down of stock price
• Evidence of sponsored by the state hackers' participation in Cybercrime.
5. Yahoo – Unauthorized Access Data Breach
Page 4 of 11
Incident and Response Plan - During an Attack
The following steps should be taken during an attack to Minimize the Impact of the data breach.
1. Preparation:
The objective for this phase is to prepare Yahoo to effectively respond to information
security incidents.
Here are some required preparation categories are:
a. Team Members:
For effective preparation and management of incidents, Yahoo maintains a dedicated
team called the incident response team. The primary role of this team is to scrutinize
and analyze any event of security data breach and take appropriate corrective actions.
b. Asset Identification / Classification:
Yahoo should identify and prioritize its critical assets and data, which will help in
determining the level of response required for each asset in case of an incident.
Additionally, conduct regular vulnerability assessments and penetration testing to
detect any potential weaknesses in its security systems.
6. Yahoo – Unauthorized Access Data Breach
Page 5 of 11
2. Detection and Analysis:
The detection and analysis procedure are a crucial part of the incident response plan during
an incident involving unauthorized access. This process enables us to swiftly pinpoint the
incident's origin and extent, gauge its possible consequences, and put in place efficient
mitigation strategies.
Investigating the breach to ascertain where it happened, what information was
compromised, and how the hacker got access to the network and compromised systems
would be the first step. In general, incidents are detected from either External or Internal
sources.
a. External Detection: If the Incident originates from outside of the organization, verify
the individual identity and affiliation to proceed further.
b. Internal Detection: Yahoo's IT team and customers should be familiar with their
systems, so they can determine if an event occurs to information security incident. The
IT team reviews their system and logs to identify deviations from normal operations.
c. There are common indicators that a computer, device, or system may be
compromised:
• Alert from monitoring tools (Defender, malware, etc.).
• Unexpected accounts or permission change.
• Unexpected running processes.
• Unexpected configuration changes on network, session, and ports.
• Altered DNS and ARP tables or changes in the content of the host files.
7. Yahoo – Unauthorized Access Data Breach
Page 6 of 11
3. Communication:
Once a breach is confirmed, the response team should inform the logistics team to send a
notification to the corresponding business units to cease work due to the compromise of
the data. Additionally, including Legal, Compliance and Risk management teams.
4. Activation and Response:
It is mandatory to activate Yahoo for Major Risk Incidents. The purpose of this Major Risk
incident is to bring all required parties and teams connected in the bridge call and update
management about response update timing and frequency expectations.
5. Containment:
The priority of Yahoo is to contain the incident. An incident is considered contained when
no additional harm can be caused, and the incident handler can focus on remediation.
Containment consists of three stages:
a. Short-term containment to stop the progress of the incident or attacker. Two
phases within the short-term containment:
• Quarantine (containment to the Yahoo network/keep Yahoo from spreading the
attack to anyone else).
• Isolation (keep the affected systems turned off from attacking any other systems
within Yahoo including servers).
• Information gathering, including affected (or potentially affected) individuals
and systems.
b. Long-term containment, including making changes to the production system.
8. Yahoo – Unauthorized Access Data Breach
Page 7 of 11
Incident Response Plan - After an Attack
1. Eradication / Remediation:
The next stage for the incident response team is to pinpoint the incident's underlying cause
and take corrective measures to stop a recurrence.
The necessary remedial actions are listed below:
a. Identify the incident's cause(s) and symptoms and record them.
b. Isolating the attack based on information gathered during the detection phase.
c. Determine how the attack was executed.
d. Remove vulnerabilities/artifacts (e.g., rootkits, compromised applications, drivers,
modules) left from the incident. Check the Disaster Recovery site to whether affected
or not.
e. Perform risk assessment, network vulnerability assessment, penetration testing and a
few other assessments from the legal team to determine if there is a weakness that could
be targeted.
f. Restore data from the backup. Also, if the DR site is not affected perform a "Failover"
for business continuity.
2. Recovery / Resolution:
The time when the team takes steps to restore the affected systems and resume production
with utmost care to prevent any reoccurrence of the incident. This stage also involves
critical decisions to be taken regarding the suitable time for restoration of the operations,
methods, and duration of monitoring the impacted system during production to ensure
normality.
a. Handle Incident Resolution:
Review root cause, which was derived from the Eradication process, with required team
members which include, Incident Response Team, HR, Legal/Risk and Compliance,
Public relation, IT, etc. Post confirmation from all these teams proceeds for the Incident
Resolution step.
b. Verify system performance and security before being brought back online.
c. Complete tests and compare baseline system activity (gathered in the Preparation
phase) to ensure the system is verified before operations are restored.
9. Yahoo – Unauthorized Access Data Breach
Page 8 of 11
d. Schedule an after-action analysis meeting with the required team. (Schedule should be
within two weeks)
e. Send detailed RCA/Resolution information as Incident closer notification to the
appropriate team.
f. Close the Incident.
g. Works/coordinates with the affected area/unit to identify and recommend changes to
business, operational, or functional processes to reduce the risk of incident recurrence.
3. After-Action Analysis:
Yahoo collects and shares relevant After-Action Analysis documentation with
stakeholders, as identified by the communication plan and strategy.
This phase is performed within two weeks of the occurrence of the incident. Below are the
actions included in this phase.
a. Collecting Data: The gathering of information on the incident response operation is
the first step in after-action analysis. Information on the incident and the organization's
response to the occurrence are both included in this. Relevant information from affected
business units.
b. Analyzing Data: The next stage is to analyze the data gathered to find the incident
response operation's strengths and flaws. Examining incident response protocols and
plans, speaking with personnel engaged in the response to incidents.
c. Identifying Lessons Learned: Identifying the lessons from the incident response
operation is the following step, which is based on the analysis. This can entail
recognizing both areas that could have development and the best practices that
functioned successfully during the operation.
d. Developing Recommendations: The next phase is to create suggestions for enhancing
the organization's incident response capabilities based on the lessons learnt. These
suggestions can involve updating security controls, adding to incident response
protocols, or providing more staff with training.
e. Implementing Changes: Implementing into practice the suggested adjustments to the
organization's incident response capabilities is the final step in the after-action analysis.
This may include updating incident response plans and procedures, implementing new
security controls, or providing additional training to personnel.
10. Yahoo – Unauthorized Access Data Breach
Page 9 of 11
Incident Response Plan - Before an Attack
The Computer Security Incident Response Team (CSIRT) should develop and periodically test an
IRP to guarantee that it is efficient. Before a prospective security incident takes place. This section
will discuss measures that can be implemented to prepare prior to an incident.
1. Preventive Measures
To manage the risks associated with a particular attack, the organization must implement
preventive measures. These measures include:
• Vulnerability Assessment: A vulnerability assessment must be performed on the IT
infrastructure to identify potential weaknesses that could be exploited by attackers.
• Penetration Testing: A penetration test should be conducted to identify vulnerabilities that
are not identified by a vulnerability assessment.
• Access Control: The organization should implement appropriate access controls to ensure
that only authorized personnel have access to sensitive data and systems.
• Security Awareness Training: Employees should receive regular security awareness
training to help them recognize and report security incidents.
• Security Patches: Security patches should be installed on all endpoints to fix known
vulnerabilities.
• Firewall: A firewall can be used to prevent unauthorized access to the network (hardware-
based or software-based).
• Anti-virus/Anti-malware Software: Anti-virus/anti-malware software can be installed on
all endpoints to detect and remove malicious software.
2. Preparations of the IR Team
The Incident Response (IR) team should be prepared to handle a security incident. The
following preparations are necessary:
• Define Roles and Responsibilities: The organization should define the roles and
responsibilities of the IR team members. Each member should know their role in the IR
process.
• Communication Plan: The organization should have a communication plan in place to
ensure that all stakeholders are notified of an incident promptly.
• Document IR Procedures: The organization should document the IR procedures to ensure
that the team members follow the same procedures during an incident.
11. Yahoo – Unauthorized Access Data Breach
Page 10 of 11
3. Training the CSIRT
The Computer Security Incident Response Team (CSIRT) must be trained to deal with
incidents and the below training should include:
• Technical Training: CSIRT members should receive technical training to ensure that they
can handle the incident.
• Soft Skills Training: CSIRT members should receive soft skills training to ensure that they
can communicate effectively with stakeholders during an incident.
• Tabletop Exercises: The CSIRT should participate in tabletop exercises to simulate an
incident and identify areas that need improvement.
4. Selecting and Maintaining Tools
The organization should select and maintain the tools used by the CSIRT. The tools should be
updated regularly to ensure that they can handle the latest threats. The tools include:
• Incident Response Platform: The organization should have an incident response platform
in place to manage the incident.
• Forensic Tools: The organization should have forensic tools in place to analyze the
incident.
• Threat Intelligence: The organization should have access to threat intelligence to identify
potential threats.
5. Training the Users
Training the users is an essential part of the IR plan. The following training should be provided
to users:
• Security Awareness Training: Users should receive security awareness training to help
them recognize and report security incidents.
• Responsible Use Policy: The organization should have a responsible use policy in place
to ensure that users understand the acceptable use of the IT infrastructure.
• Incident Reporting: Users should know how to report a suspected incident and whom to
report it to.
12. Yahoo – Unauthorized Access Data Breach
Page 11 of 11
6. Testing the IR Plan
Testing the IR plan is essential to ensure that it works as expected. The following strategies
can be used to test the IR plan:
• Desk Check: The IR team members should review the IR plan to ensure that it is accurate
and up to date.
• Structured Walk-through: The IR team members should walk through the IR plan to
identify areas that need improvement.
• Simulation: The IR team members should simulate an incident to test the IR plan.
• Parallel Testing: The IR team members should perform a parallel test to ensure that the
IR plan does not halt the operations of the business functions.
References:
• All 3 billion Yahoo Accounts Were Affected by the 2013 Attack
https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html
• Users of Yahoo say all three billion accounts were hacked in 2013 data theft.
https://www.reuters.com/article/us-yahoo-cyber-idUSKCN1C82O1
• NIST SP 800-61r2, Computer Security Incident Handling Guide
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
• NIST SP 800-53r4, Security and Privacy Controls for Federal Information Systems and
Organizations
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf
• ISO/IEC 27035-1:2016, Information technology - Security techniques - Information security
incident
https://www.amnafzar.net/files/1/ISO%2027000/ISO%20IEC%2027035-1-2016.pdf
• ISO/IEC 27035-2:2016, Information technology - Security techniques - Information security
incident
https://www.amnafzar.net/files/1/ISO%2027000/ISO%20IEC%2027035-2-2016.pdf