Three Billion Secrets: The Yahoo Data Breach

Three Billion Secrets: The Yahoo Data Breach

Three Billion Secrets: The Yahoo Data Breach

In the autumn of 2016, Yahoo’s legal team placed a call that Verizon’s negotiators would remember for a long time.

The deal had been signed in July — $4.83 billion for Yahoo’s core internet business, one of the most closely watched technology acquisitions of the decade. Then, in September, Yahoo disclosed what it called “a state-sponsored actor” had stolen data from 500 million user accounts in 2014. Verizon winced and continued.

Two months later, in December, Yahoo disclosed another breach — this one from 2013. One billion accounts, it said.

The real number, confirmed after Verizon completed its acquisition and conducted its own forensic audit, was three billion. Every account Yahoo had ever created. Every user who had ever registered, ever. The entirety of Yahoo’s user base — names, email addresses, telephone numbers, birthdates, hashed passwords, and in some cases unencrypted security questions and their answers — had been copied out by attackers who had been inside Yahoo’s infrastructure for years.

It was, and remains, the largest data breach in human history.

And behind it, according to a March 2017 United States Department of Justice indictment, were two uniformed officers of the Federal Security Service of the Russian Federation — one of whom was simultaneously acting as an informant for the CIA.

Threat Actor Profile: FSB Centre 18 / Karim Baratov Network

Designation: FSB Centre for Information Security (Centre 18); operating alongside freelance criminal actors Alexsey Belan and Karim Baratov
Attribution: United States Department of Justice (indictment, March 2017). Named individuals: FSB Officer Dmitry Dokuchaev (Major, Centre 18), FSB Officer Igor Sushchin (Colonel, FSB; embedded as security director at Renaissance Capital investment bank, Moscow), professional criminal hacker Alexsey Belan (Russian national, on FBI Most Wanted list), and Karim Baratov (Canadian-Kazakhstani national, hired gun).
Origin: Moscow, Russia; Almaty, Kazakhstan; Anchorage, Alaska (Belan’s sometime location)
Primary Mission: Intelligence collection against foreign nationals, journalists, dissidents, government officials, and business executives. Theft of commercially and diplomatically sensitive communications.
Known Tradecraft: Spear phishing, credential theft, session cookie forgery, database exfiltration, targeted account access bypassing multi-factor authentication, long-term persistent access to mail infrastructure

Notorious Operations:

  • Yahoo Breach (2013–2016): Directed penetration of Yahoo’s user authentication infrastructure. Exfiltration of 3 billion account records. Long-term persistent access to Yahoo’s account management tooling, enabling targeted reading of specific accounts of intelligence interest.
  • DNC Hack (2016): Russian intelligence operations (GRU/APT28 and FSB/APT29) penetrated the Democratic National Committee and the Clinton campaign’s email infrastructure in 2016. The FSB’s cyber operations arm (distinct from but adjacent to Centre 18) executed parallel intelligence collection operations against political targets — the same targets Dokuchaev’s team was tasked to surveil via Yahoo.
  • Targeted Phishing Against Journalists and Dissidents: Systematic phishing campaigns against Russian journalists, political opposition figures, and foreign government officials whose email correspondence was of intelligence interest to the Kremlin. Yahoo’s infrastructure provided persistent access to many such individuals’ communications.

The Architecture of the Breach

To understand what happened to Yahoo, it helps to understand what Yahoo was, architecturally, in 2013.

Yahoo Mail was the largest free email service in the world. At its peak it served over a billion active users — an audience that included not just ordinary internet users but, critically for Russian intelligence purposes, Russian journalists, dissidents living abroad, opposition political figures, foreign diplomats, US government officials, and intelligence officers whose personal email addresses happened to live at yahoo.com.

Yahoo authenticated its users in two ways: through passwords, and through session cookies — small encrypted tokens stored in a user’s browser after login that allowed Yahoo’s servers to recognize a returning authenticated user without requiring them to enter their password again. These cookies had a finite lifetime, after which they expired and the user was asked to log in again.

Yahoo generated these cookies using a proprietary algorithm — an internal signing mechanism that took user account identifiers, timestamps, and a server-side secret key and produced a cryptographically signed token.

The thing about server-side secrets is that they exist on the server. And if you own the server, you own the secrets. And if you own the secrets, you can generate as many valid, signed cookies as you want, for any account you want, with any expiration date you choose.

This was the attack.

The Intrusion: Alexsey Belan’s Penetration

Alexsey Belan — known to the FBI by his online monikers “Magg” and “M4G,” wanted for prior intrusions into three US technology companies and already on the FBI’s Most Wanted list when the Yahoo operation began — was the technical instrument of the breach.

Belan was not a government employee. He was a freelance criminal hacker of exceptional skill, a Russian national who had been arrested in Greece in 2013 before escaping extradition back to the United States. The FSB, rather than prosecuting him, apparently recruited him as an asset — granting him protection from arrest in Russia in exchange for his services.

The precise initial vector of Belan’s intrusion into Yahoo’s networks was not established in the 2017 indictment with complete technical specificity, but the subsequent forensic picture suggests it involved spear phishing attacks targeting Yahoo employees with access to internal systems — the same vector used in virtually every major corporate intrusion of the period. A carefully crafted email. A convincing pretext. A link to a credential-harvesting page. An employee whose password now belonged to someone in Moscow.

Once inside, Belan moved laterally through Yahoo’s network until he located the two systems that mattered most:

The User Database (UDB): Yahoo’s master user database, containing account information for all registered Yahoo users — names, email addresses, phone numbers, encrypted passwords (MD5-hashed, with a bcrypt migration partially underway), birthdate, and account creation metadata. Belan copied the UDB. Then he kept the access open so he could query it in real time.

The Account Management Tool (also known internally as the “Account Management Portal”): Yahoo had built internal tooling that allowed authorized Yahoo employees to look up account information, perform customer service functions, and — critically — generate new session cookies for users who had been locked out of their accounts. This tool had access to Yahoo’s cookie-minting infrastructure.

Belan exfiltrated portions of the UDB and, more consequentially, gained persistent access to Yahoo’s cookie-generation mechanism.

The forged cookie technique was both the most technically elegant and the most operationally significant aspect of the Yahoo breach. It allowed Dokuchaev and Sushchin — or anyone they tasked — to read the private email of any Yahoo account without ever knowing that account’s password.

The mechanics worked like this:

Yahoo’s session cookies contained several components: a user account identifier (the Yahoo user ID number), a timestamp, a version indicator, and a cryptographic signature generated using Yahoo’s secret signing key. When a user’s browser presented this cookie, Yahoo’s servers would verify the signature, confirm the timestamp hadn’t expired, and grant access to the account.

Belan’s access to Yahoo’s internal account management infrastructure gave him — and through him, his FSB handlers — the ability to call Yahoo’s cookie-generation API directly, specifying any account they wanted. The resulting cookie was cryptographically indistinguishable from a legitimately generated one. It would pass every check Yahoo’s authentication systems performed.

The elegance of this technique was that it left no trace in the target account’s login history. A user logging in through Yahoo’s standard web interface generated a visible login record. A forged cookie, generated server-side through the internal API, could be constructed to bypass the normal logging pathway, or its log entries could be made to appear as routine internal access.

Targets never received an alert. Their accounts showed no suspicious activity. Their passwords were never compromised in the sense that an attacker ever used their password — and so password-reset security measures were irrelevant.

The only way to detect the access was to audit Yahoo’s server-side cookie generation logs — and Yahoo, as later congressional testimony made painfully clear, was not systematically doing this.

The Tasking: Dokuchaev and Sushchin

The intelligence value of the breach was directed by the two FSB officers.

Dmitry Dokuchaev was a Major in the FSB’s Centre for Information Security — the unit responsible for technical intelligence collection. He had, in a previous chapter of his career, been a hacker himself, operating under the handle “Forb” before being apparently recruited by the FSB (a pattern the Russian security services have used repeatedly: catch a hacker, offer them a choice between prosecution and employment). He was the primary operational officer for the Yahoo tasking.

Igor Sushchin was more senior — an FSB Colonel who had been placed under deep cover as the director of information security at Renaissance Capital, one of Moscow’s largest investment banks. His cover was not unusual: the FSB routinely embeds officers in Russian companies, financial institutions, and media organizations as part of its domestic and foreign intelligence architecture.

Together, they directed Belan to use Yahoo’s stolen cookie-minting capability to access specific accounts. The targets were not random. The DOJ indictment identified categories of interest: Russian and US government officials, Russian journalists, employees of a Russian cybersecurity firm (widely understood to be Kaspersky Lab, whose relationship with the Russian government had become a US intelligence concern), and officers of financial companies.

The operation was, at its core, not about stealing three billion records. The three billion records were a side effect — an inevitable consequence of having unrestricted access to a database of that scale. The mission was reading the email of specific individuals who were of strategic interest to Russian foreign intelligence.

Karim Baratov: The Hired Gun

For targets outside Russia — individuals whose accounts were hosted on services other than Yahoo, or who could be reached through Yahoo but required more aggressive action — the FSB turned to a hired contractor.

Karim Baratov was 22 years old when he was arrested in 2017. He had been born in Kazakhstan, immigrated to Canada as a teenager, and had spent his adolescence building a business model around targeted account hacking. He maintained a website offering account-cracking services for hire, advertising his ability to penetrate Gmail, Yahoo Mail, and other webmail accounts for a fee of a few hundred to a few thousand dollars per target.

He drove a Lamborghini. He posted photos of it on social media.

Baratov’s operational relationship with the FSB was transactional: Dokuchaev paid him to access specific accounts, providing target email addresses and receiving the contents in return. The DOJ indictment alleged he hacked at least 50 accounts for his FSB handler, charging approximately $100 per account for ordinary targets and more for difficult ones.

He was not ideologically motivated. He was not a patriot. He was a contractor who received assignments and invoices and didn’t ask about the customers’ intentions.

When Canadian authorities arrested him at his home in Anchorage, Ontario, in March 2017, they found him at his computer. He was convicted in the United States, having pleaded guilty, and sentenced to five years in federal prison.

The Cover-Up and the Disclosure

The breach occurred in August 2013. Yahoo’s security team became aware of unauthorized access to its user database in 2014. The full scope of what had occurred — the cookie forgery infrastructure, the persistent access, the depth of the penetration — was not understood internally for years.

Yahoo’s leadership, including its CEO Marissa Mayer, received briefings on the 2014 breach (a separate, smaller incident affecting 500 million accounts). The 2013 breach, at the time, was not fully understood as a separate event.

In July 2016, Yahoo entered into a purchase agreement with Verizon. The $4.83 billion deal was the culmination of months of negotiation over the struggling internet company’s remaining assets.

In September 2016 — after the deal had been signed — Yahoo publicly disclosed the 2014 breach: 500 million accounts compromised by a “state-sponsored actor.”

Verizon’s due diligence team, now looking much harder at Yahoo’s security posture, found more. In December 2016, Yahoo disclosed the 2013 breach — initially characterizing it as “over one billion accounts.”

The forensic investigation commissioned by Verizon ultimately concluded the actual figure was three billion accounts — the entirety of Yahoo’s user base at the time of the breach. Every account. Every user. All of it.

Verizon renegotiated the purchase price. The deal closed in June 2017 at $4.48 billion — a $350 million reduction that represented the direct financial penalty Yahoo paid for years of security failures and incomplete disclosure.

Marissa Mayer forfeited her cash bonus for 2016. Several senior Yahoo security officials departed.

The Indictment and the Irony

On March 15, 2017, the United States Department of Justice unsealed a 24-count indictment against four individuals: Dokuchaev, Sushchin, Belan, and Baratov.

The indictment was historic in several respects: it was the first time the US government had charged sitting officers of a foreign government’s intelligence service with specific computer crimes in a US federal court. The evidence presented — including records of FSB internal communications, payment records between Sushchin and Baratov, and forensic analysis of Yahoo’s server-side access logs — represented an extraordinary degree of US intelligence penetration of FSB operations.

And then came the irony that defied fiction.

Dmitry Dokuchaev, the FSB Major who had directed the Yahoo operation, had been arrested in Moscow in December 2016 — three months before the US indictment — by Russian authorities on charges of treason. He was accused of passing information about Russian cybercriminals to the CIA.

The FSB officer who had orchestrated the largest data breach in history was himself an informant for American intelligence.

Dokuchaev remains in Russian custody. Sushchin was also arrested in Russia on treason charges. Belan remains a fugitive. Only Baratov served time in a Western prison.

The three billion accounts — the names, the email addresses, the security questions, the scrambled passwords — remain somewhere in Russian intelligence archives. What has been done with them in the years since, no public record fully reveals.

Attack Chain: Yahoo Data Breach — FSB Operation (2013–2016)

graph TD
    A["🇷🇺 FSB Centre 18\nDmitry Dokuchaev (Major)\nIgor Sushchin (Colonel)\nMoscow"] --> B["Mission Tasking\nIntelligence Collection via\nYahoo Mail Infrastructure\nTarget: Journalists, Officials, Dissidents"]

    B --> C["Asset Activation\nAlexsey Belan — Russian Criminal Hacker\n'Magg' / 'M4G'\nFBI Most Wanted, FSB Protected"]

    C --> D["Initial Access\nSpear Phishing Yahoo Employees\nCredential Harvesting\nValid Employee Login Obtained"]

    D --> E["Lateral Movement\nInternal Network Traversal\nPrivilege Escalation\nTarget: Core Infrastructure Systems"]

    E --> F1["Target 1: User Database (UDB)\n3 Billion Account Records\nNames, Emails, Phones, DOB\nMD5-Hashed Passwords"]
    E --> F2["Target 2: Account Management Tool\nInternal Cookie-Minting API\nEmployee-Level Access\nAuthenticates Any Account"]

    F1 --> G1["UDB Exfiltrated\nCopied to Attacker-Controlled\nExternal Infrastructure\nPersistent Query Access Maintained"]

    F2 --> G2["Cookie Forgery Capability\nAccess to Yahoo Signing Key\nForge Valid Session Tokens\nFor Any Yahoo Account"]

    G2 --> H["Cookie Minting Process\nSpecify Target Account ID\nGenerate Signed Token\nBypasses Password Entirely"]

    H --> I["Zero Login Trace\nNo Password Used\nNo MFA Challenge\nNo Suspicious Login Alert\nTarget Never Notified"]

    I --> J["FSB Tasking Chain\nDokuchaev → Belan → Cookie Mint\nAccess: Russian Journalists\nForeign Diplomats / US Officials\nCybersecurity Firm Employees"]

    J --> K["Parallel Operation\nKarim Baratov — Hired Contractor\nCanadian-Kazakhstani National\n$100–$5,000 per Target Account"]

    K --> L["Baratov Delivers\nEmail Contents of 50+ Targets\nOutside Yahoo Infrastructure\nGmail / Other Providers"]

    G1 --> M["2014: Yahoo Security\nDetects Unauthorized DB Access\nInternal Investigation\nFull Scope Not Understood"]

    M --> N["July 2016\nVerizon Acquisition Agreement\n$4.83 Billion Deal Signed"]

    N --> O["September 2016\nYahoo Discloses 2014 Breach\n500M Accounts — 'State Actor'\nVerizon Conducts Deeper Audit"]

    O --> P["December 2016\nYahoo Discloses 2013 Breach\n'Over 1 Billion Accounts'\nActual Figure: 3 Billion"]

    P --> Q["March 2017\nDOJ Unseals Indictment\n4 Defendants: Dokuchaev, Sushchin\nBelan, Baratov"]

    Q --> R["🔴 Verizon Deal Renegotiated\n$350M Discount Applied\nFinal Price: $4.48 Billion\nYahoo CEO Bonus Forfeited"]

    Q --> S["Irony: Dokuchaev Arrested\nBy Russia (Dec 2016)\nCharged with Treason\n(Alleged CIA Informant)"]

    S --> T["Belan: Still Fugitive\nSushchin: Russian Custody\nBaratov: 5 Years US Prison\nDokuchaev: Russian Custody"]