About YahooYahoo is a web service provider and is headquartered in Sunnyvale, California. The original Yahoo! Company was founded by Jerry Yang and David Filo in January and was incorporated on March 2, 1995 (Wikipedia, 2017). Yahoo became a part of Oath along with AOL after its acquisition by Verizon in 2016 (Lawler, 2017). What happened, who was involved and what was the impactThere were two security breach incidents which came into light in 2016 and they are two separate incidents.The first case was a breach in 2014 which was disclosed by Yahoo in September 2016, affecting as many as 500 million users which Yahoo attributed to state-sponsored hackers.The second case is the largest security breach which occurred in 2013 but was only brought to light in December 2016 where Yahoo broadcasted that 1 billion accounts had been hacked. However, recently in 2017, there has been a correction. It turned out that Yahoo’s 2013 hack actually compromised 3 billion accounts (Newman, 2017).This report will be focused on the latter – the second case mentioned above. Yahoo’s most severe security breach in 2013 did come as a shock to some but, at the same time, was not unexpected as Yahoo had similar cybersecurity issues in the past.Back in 2012, hackers posted a collection of e-mail addresses and encrypted passwords which was obtained from the servers of Yahoo Voices. 400,000 user accounts had their details exposed. Condliffe suggests that “The issue, at the time, was the weak security in the systems inherited by Yahoo that nobody had bothered to upgrade” (Condliffe, 2016).In spite of improving a number of security issues, Yahoo had many users lament over an array of compromises. In the next year, 2013, multiple Yahoo Mail users reported that their accounts had been hacked via phishing attacks where users were persuaded to click on links within emails.In 2014, again, Yahoo announced that it had detected a hack of customer e-mail account details. Hackers had taken usernames and passwords from a third-party server and infiltrated the accounts to acquire more names and email addresses. To cease the attacks, Yahoo quickly reset passwords.Finally, in 2016, Yahoo disclosed that its servers had been hacked in 2014. Later in 2016, on December 14, Yahoo announced its most serious security breach. The hack, speculated to be the biggest ever hack of user records, occurred in 2013 (Condliffe, 2016). According to Yahoo’s chief information officer, Bob Lord, it was revealed that names, email addresses, telephone numbers, birthdays, hashed passwords (using MD5), and, in some cases, encrypted or unencrypted security questions and answers had been disclosed. Yahoo did confirm that passwords were not stolen in clear text, and hackers did not obtain bank or credit card information tied to the Yahoo accounts (Garun, 2017).The breach involved the hacking of a staggering 1 billion accounts. However, 10 months later, Yahoo had to make an amendment: “that incident actually exposed three billion accounts – every Yahoo account that existed at the time” (Newman, 2017). How it happenedA system flaw which allowed hackers to penetrate the Yahoo accounts was the fact that hackers were able to replicate “cookies” such that the hacker would be able to be logged into an account without actually having to enter a password. Yahoo said, “someone had accessed its proprietary computer code to learn how to forge “cookies,” which would allow hackers to access an account without passwords” (Menn, Finkle, Volz, 2016). Vulnerabilities and existing controls Yahoo claimed that it “routinely conducted drills to test and improve its cyber defences and highlighted campaigns such as a “bug bounty” program in which it pays hackers to find security flaws and report them to the company”.Despite this preventative control, Yahoo still suffered the major security breach which could be due to the vulnerabilities of the system. Yahoo’s major vulnerability was the fact that it was using discredited technology for encrypting data known as MD5. Yahoo eventually implemented better security for passwords for its customers, discontinuing the usage of MD5 in the summer of 2013 but it was too late (Menn, Finkle and Volz, 2016). It was mentioned, “The timing of the attack might seem like bad luck but the weakness of MD5 had been known by hackers and security experts for more than a decade” (Fortune, 2016). It has been said that “MD5 can be cracked more easily than other so-called “hashing” algorithms” (Fortune, 2016). Several industry professionals have advised against the use of MD5. An example of a warning is Carnegie Mellon University’s Software Engineering Institute issuing a public warning to security experts through a U.S. government-funded vulnerability alert system – It warned that MD5 “should be considered cryptographically broken and unsuitable for further use” (Fortune, 2016). How the company respondedDespite knowing about the intrusion in 2013, Yahoo did not disclose the information and only notified the public in 2016, 3 years later. John Pironti, cybersecurity expert and president of IP Architects, said that Yahoo should be held responsible for its slow response (Forrest, 2017). However, with Yahoo in the spotlight, the company told Reuters that “it was committed to keeping users secure by staying ahead of new threats” (Menn, Finkle, Volz, 2016). Yahoo also stated that it “invalidated unencrypted security questions and answers so they cannot be used to access an account” (Yahoo, 2017). Who were the hackers?Yahoo said it “believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts” (BBC, 2016). The Yahoo spokesperson also said that “we (Yahoo) have not been able to identify the intrusion associated with this theft” (Hale, 2016).