2016: Why Yahoo’s breaches leave billions users susceptible to spying

The Yahoo breach is getting second billing but it's enormous in both size and implication. Using forged cookies, a nation state could closely watch and target a user with malware through ad delivery networks.
(Glen Scott / Flickr)

What does it say about 2016’s seemingly endless torrent of cybersecurity catastrophe that news of the unprecedented hack of Yahoo and over 1 billion users is quickly and quietly fading into the background?

With public attention focused largely on hacks surrounding the U.S. election, relatively little public attention is being paid to the fact that the hackers who breached Yahoo two years ago and stole data and account access from 500 million to over 1 billion users also may have gained the ability to precisely track targeted users widely across the web through ad networks thanks to forged “cookies,” small files stored on a user’s machine that could personally identify that individual to whoever the hackers may be.

The full capabilities gained by the attackers depends on the attackers’ level of access to Yahoo’s platform. The company has released precious little specific technical information on the two breaches and the cookie forging. They did not respond to our request for comment. Although it has garnered some criticism, the silence may be paying off from a PR standpoint. With emphatic questions about democracy and cybersecurity being posed with other stories, conversations and headlines around the Yahoo hacks are tougher to package and full of unknowns.

Yahoo Chief Information Security Officer Bob Lord believes the attack was launched by a state-sponsored attacker, a notion that is finding a lot of support and alarm in American intelligence agencies. Potential high-value targets include human rights activists, corporate executives, government employees and journalists.


Cookies are used by advertising empires like Google and Yahoo to closely track everything users do online. Even though both companies do dozens of other things, the ad business provides the lion’s share of the revenue they enjoy. Cookies, part of the essential tech backbone of that business, provide companies with close tracking of all users across the web. When the cookies can be manipulated, that tracking is handed over to the hacker, along with the ability to attack.

“By stealing and or manipulating a cookie for a specific user, you could use that cookie to target a user with malware through ad delivery networks,” Blake Darche, a former NSA Tailored Access Operations (TAO) operator for seven years and now chief security officer at Area 1 Security, said. “Cookies are often not understood and are very powerful targeting mechanisms to go after a specific user of interest allowing you to target them on a huge number of legitimate websites. This type of capability would most often be used by an advanced nation-state attacker to target a user of interest.”

This kind of capability could be compared to NSA offensive weapons like SECONDDATE, a leaked tool that intercepts web requests and redirects browsers on target computers to an NSA web server which can then be used to infect the target with malware.

“Think of the Great Firewall of China,” Darche explained. “It has packet injection capabilities. If you know a user’s cookie, you can inject a payload when they exit to Yahoo’s servers. That’s what this is like.”

In many of the cybersecurity firms populated by NSA alumnus, the Yahoo hacks are in some corners receiving more attention than the ongoing Russian-American cybersecurity issues.


The hacker’s capabilities are being compared to lawful intercept programs like the FISA Court which oversees surveillance warrants by federal law enforcement and intelligence agencies including the FBI and NSA.

The deep surveillance and hacking capabilities of the Yahoo attackers adds yet another layer to the company’s long line of security problems. Employees reportedly knew of the breach  as early as 2014 but it was not publicly announced until 2016. If the hack was used for precision tracking by an intelligence agency, the two-year delay in disclosure will likely come under further scrutiny.

Yahoo’s ad network has been targeted by hackers before who used a sophisticated exploit to infect millions of victims.

Earlier this year, Yahoo agreed to sell core businesses to Verizon for $4.8 billion. But the news of two massive hacks against the company may end with the deal looking far different than it started or even falling apart completely. 

In 2000, prominent security technologist Bruce Schneier wrote that “it is poor civic hygiene to install technologies that could someday facilitate a police state.” Since Edward Snowden’s 2013 NSA leaks, Schneier has evoked that quote to speak specifically about American companies and intelligence agencies working in tandem. It turns out, however, that those technologies can also be stolen and taken across borders to be used by hackers whose very identities and intentions are cloaked in questions.

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts