It’s been a rough year or so for Yahoo, which announced not one, but two massive data breaches nearly back-to-back in the last quarter of 2016, and nearly lost its acquisition by Verizon as a result. Although they were revealed close together, the two breaches are thought to be separate attacks. One, which exposed 500 million user accounts, occurred in 2014 and the other, which exposed an additional 1 billion user accounts, occurred in 2013. While the investigation into the 2013 breach continues, users finally have some answers for the 2014 breach, as the U.S. Justice Department announced the indictment of four Russian hackers and intelligence officials on charges related to the breach on March 15. These indictments follow nearly two years of investigation by the San Francisco FBI office, and it’s the first time the U.S. has levied criminal charges for cybercrime against Russian officials. As of yet, there is no news as to whether there is any connection between the people being charged and the larger, older breach from 2013. For now, here’s what you need to know about the charges levied and how Russia is involved.
Who’s responsible and how did they do it?
According to the documents released by the Justice Department, the four people being charged are Dmitry Dokuchaev and Igor Sushchin, two Russian intelligence officers from the country’s Federal Security Service (FSB), and alleged hired Russian hackers Karim Baratov and Alexsey Belan. They are accused of a number of crimes, including hacking, wire fraud, trade secret theft and economic espionage. Using phishing techniques to gain access to the information necessary to infiltrate millions of Yahoo accounts, the intelligence officers allegedly targeted specific individuals, while the hackers were permitted to use the information to target large swaths of people through spam campaigns. The individual targets included diplomats, business executives and even a Russian investigative reporter.
By acquiring the tools needed to gain access to people’s Yahoo accounts without detection, those involved were able to comb through these accounts in search of credit card information, other financial documents, login information for other private accounts and much more. Because people use Yahoo accounts to log into other services, such as Flickr and Tumblr, there’s a chance that even more was exposed than people even realize. The potential to access other accounts from the infiltrated Yahoo accounts also put potentially anything a person used their Yahoo email for at risk. In a more broad use of the stolen account information, the Russian hackers stole people’s contact lists to send marketing spam, as well as set up a scheme that redirected users who searched online for erectile dysfunction medication to a specific pharmacy website that profited the hackers.
What does this mean for the U.S. and consumers in general?
Although this is not the first time foreign officials have been indicted for cyberespionage — Chinese military officials were charged in 2014 — it is the first time such charges have been made against Russian officials. Considering rumors of Russian involvement in other cybercrimes, including the hacking of the DNC last year, these actions pave way for potential further charges in these other cases. It has been noted that these charges and crimes are unrelated to the DNC hacking as well as the ongoing FBI and Senate investigations into Russian tampering of the 2016 U.S. presidential election. As of yet, there has been no link made between the 2014 Yahoo breach and the earlier, larger breach in 2013, and we can only hope that following this announcement we will soon learn who was behind that breach and how the stolen information may have been used.
Unfortunately, the damage from this hack is already done. Accounts have been infiltrated, passwords stolen, credit card and other financial information used to the benefit of cybercriminals. However, there is much to learn from the details of how these crimes were pulled off that could protect people in the future. Here are a few tips you can follow to shore up your online security in the wake of these types of hacks:
- Take advantage of all your security options. It just isn’t enough these days to have a strong password. You also need to use unique passwords for each account and take care to change them frequently. Whenever available, activate two-factor verification and other security tools at your disposal to double protect your accounts. That way, if someone were to access your email account and try stealing login information for other accounts, you’d be alerted when they tried logging into those accounts by activation of your two-step verification.
- Be careful what you keep stored in your email accounts. How many times have you received an email with sensitive financial information or the username/password for a new account and filed the message away or simply left it sitting there in your inbox? Cybercriminals count on their victims to be more or less careless when it comes to this type of thing. If you receive anything to one of your accounts that could potentially put your identity or finances at risk if it fell into the wrong hands, you should find a way to save it securely, such as uploaded to a secure cloud account or saved to your device as a password-protected file. Online backup services will encrypt and protect files and folders, so perhaps you might consider using one of those.
- Brush up on your cybersecurity knowledge. Education is the best defense against criminals online, so take the time to learn about common scams and schemes like phishing so you can be able to recognize it when you see it. Bear in mind, like criminals in the “real world,” some cybercrimes are more sophisticated than others, so don’t beat yourself up if you do fall for a fraud. That said, knowing is half the battle, and the more you understand how to prevent and recognize online fraud, the better prepared you’ll be to stop yourself from clicking that link or responding to that message.
It’s quite likely that we will see more indictments in the future, Russian and otherwise, as state-sponsored espionage and cybercrime becomes more of a focus of crime fighters and lawmakers in the U.S. Although the frustrating part of data breaches is that there’s often little you can do as an individual to fight them, following the advice we provide in our identity theft protection blog will help you protect yourself online and offline from scammers, identity thieves and other bad guys as best you can.