The original source of compromise, according to the DOJ indictment, was a spear phishing attack. From this entry point, the hackers were able to commit possibly the largest cyber security breach to date.
The Yahoo indictment has brought the attack technique of minting authentication cookies to the forefront.
This article was written by Steve Dance, Managing Partner of RiskCentric and the attached indictment was obtained from ongoing research by RiskCentric, who have been following this story for several months on behalf of the Business Resilience Forum
Once the alleged hackers had gained access to Yahoo systems, they were able to “mint” authentication cookies and thus access user accounts without authorisation. The unfettered access allowed the hackers to access the email contacts directory of the affected Yahoo accounts. This has created a situation where the potential number of internet users (not necessarily just Yahoo users) who might be affected or targeted has increased by orders of magnitude. (see the highlighted lines on page 14 of the indictment)
The indictment claims that the hackers “stole a copy of at least a portion of Yahoo’s User Database, a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information that gave the capability to create, or ‘mint,’ web browser authentication cookies for more than 500 million Yahoo accounts.”
Minting cookies is different to forging them: Forged currency notes, for instance, are created by using equipment that creates similes of genuine notes whereas minting currency notes is analogous to stealing the proprietary equipment and raw materials from the mint itself and then churning out currency. Basically it’s genuine currency created fraudulently. Likewise, because the hackers had obtained Yahoo’s code and data to create cookies, they were creating “Yahoo cookies” using Yahoo’s own tools.
A copy of the indictment can be downloaded here