View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 13, 2016

Post-breach forensics: How did Yahoo get hacked?

Yahoo will be conducting thorough investigations into the cause of its cyber breach.

By Alexander Sword

There is little news coming out of Yahoo as the world  waits to hear what exactly caused the theft of the details of 500 million Yahoo accounts, but inside the organisation, internal and external IT professionals will be working hard to find the answer.


Yahoo must find the cause of the breach.

Breach investigations take time, and with the attack having taken place over two years ago, records could be patchy.

Yet the findings of the investigation could either mean condemnation or vindication for Yahoo.

John Madelin, CEO at RelianceACSN, outlines some likely steps:

“The first thing Yahoo will need to do is bring in outside experts to dispassionately and objectively get to the bottom of the problem unencumbered by the problems and knowledge of the past.”

The next step in a standard breach investigation, Madelin says, is identifying the attack, followed by quarantining and ensuring that other systems are not affected.

Cameron Brown, independent cyber defence adviser, says that the forensic investigation will focus on timeline analysis and aggregation of available logs.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

However, security experts note the difficulties that Yahoo faces, considering the time elapsed since the breach.

Stephen Gates, chief research intelligence analyst at NSFOCUS, says that Yahoo will have to follow a “popcorn trail” left behind by the attacker, if they can find it.

“Occasionally this is easy; more often it’s impossible.  In most cases, trying to find the trail is directly affected by how long ago the breach happened.  If evidence of the breach has been destroyed or overwritten over time, this will only make Yahoo’s efforts more difficult.”

Is Yahoo just looking for a needle in a haystack?

Is Yahoo just looking for a needle in a haystack?

Even in the “best case scenario” where Yahoo has kept detailed records, finding the right information could be a “needle in a haystack” task, according to Thomas Fischer, Global Security Advocate at Digital Guardian.

Says Rob Sobers, director at Varonis, the process overall could take “weeks if not months.”

If the investigation is successful, what will the findings be? Yahoo has released precious little detail about the successful attack except to suggest that a state-sponsored attacker was involved.

Matt Walker, VP Northern Europe at HEAT Software suggests a possible method of attack, saying that it is likely that the method will be similar to that of other large breaches.

He says that if this is the case, the attacker “would first have looked to deliver malware inside Yahoo’s system, most probably by exploiting an existing software vulnerability for which a remediation was already available.”

After this the malware would have hidden its presence, Walker says, before making a connection with the attacker and probing deeper into the network.

In this case it appears the attack concluded once the details of 500 million users had been copied and transferred.”

Thomas Fischer at Digital Guardian suggests some other possibilities: a vulnerable front-end web application, a zero-day attack on a server or the compromise of an administrator.

Yahoo has already been criticised by a prominent group of US senators for its failure to promptly disclose the breach, but the revelation of what actually caused the attack could be just as damaging if the internet giant had somehow failed to take basic defensive steps.


Dido Harding, CEO of TalkTalk.

In the UK, TalkTalk was recently slapped with a £400,000 fine by the Information Commissioner’s Office (ICO) for failing to take basic steps to protect customer information, leading to the theft of the personal data of around 157,000 customers in October 2015.

The ICO found from its investigation that TalkTalk hosted three webpages that were vulnerable to SQL injections.

As Rik Ferguson, Global VP of Security Research at Trend Micro, said at IP Expo, this type of attack should “not be possible in 2016.”

It is possible that Yahoo fell victim to some incredibly sophisticated attack or was left vulnerable by an inept third party; if the attacker really was a nation state then perhaps there was nothing Yahoo could do.

But if, like TalkTalk, Yahoo failed to take basic defensive steps, the repercussions of the attack could be far from over.

As the introduction dates of new data protection regulations such as GDPR approach, companies will increasingly need to address both the before and after of breaches.

It may take some time to know how hackers got into Yahoo’s network and there is no real information on how well-prepared Yahoo was.

The best way to avoid having to deal with the fall-out of a breach is to avoid having one, which basic cyber security prevention steps could go a long way towards.

But even if the attack was unavoidable, if Yahoo did have the basics in place, at least the company won’t need to feel too fearful of the results of the investigation.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.