Whether it was his postings on social media or his frequent trips to car wash businesses, Karim Batarov loved to show off his expensive taste in cars. To his peers, Baratov rarely described what he did for a living that enabled him to afford expensive vehicles, and only alluded to working on “computer geek stuff”. The description of “computer geek stuff” was a bit of an understatement; Baratov was a hacker, one of four responsible for a hack of Yahoo accounts that amounted to the largest data breach in history.
The hack he participated in, which managed to obtain data from one billion user accounts including names, phone numbers, encrypted passwords and telephone numbers, was devastating for Yahoo’s reputation and its stock price. After being arrested in his hometown of Ancaster Ontario, Baratov could face up to 20 years in prison if he is found guilty.
Three Russian nationals, including two members of the FSB, Russia’s secret service, were also arrested in connection with the hack. Yahoo was mum about the data breach for over two years. Now that the nature of the hack and its perpetrators have been revealed, it would not be paranoid for people to worry about whether their personal information is safe.
If Yahoo could be devastated by a massive data breach, how can users trust that their personal information is safe?
— Yahoo Canada (@YahooCanada) March 15, 2017
Baratov’s conspicuous personal wealth was most likely derived from hacking Yahoo account information and then selling the information, including account names and passwords, on his own domains. Facing a hefty sentence, he certainly won’t be selling private information anymore, but the damage he has caused to Yahoo will not be diminished.
In 2016, Yahoo officially announced that two data breaches occurred, the first occurring in August 2013 and the second in the later months of 2014. In total, the information of about 1 billion user accounts was compromised. In July of 2016, prior to the announcement of the breach, Yahoo agreed to sell its core internet business to Verizon for $4.83 billion.
The impact of the hack was not only felt by the users that had their information breached, but by Yahoo shareholders as well. According to wired.co.uk, this deal was reduced in February 2017 to $4.48 billion in cash, less than $350 million of what was originally offered. Although the two breaches amounted to the largest hack in Internet history, there were a number of other prominent hacks that targeted some of the largest firms in the world.
Between 2005 and 2012, more than 160 million credit and debit card numbers were stolen and 800,000 bank accounts were compromised when hackers targeted servers used by the Nasdaq stock exchange. The United States Office of Personnel Management was similarly struck in 2015, when 21.5 million records, including highly personal information like Social Security numbers and addresses, were hacked by unknown perpetrators.
In 2011, the personal information of 77 million PlayStation Network users was exposed, causing Sony to shut down its services for 23 days. Sony estimated that the cost of the outage was $171 million. Major institutions, both federal governments and private firms, are highly vulnerable to increasingly sophisticated hackers.
At this point, the one billion accounts hacked by Baratov and his accomplices will prove to be a difficult record to break, but it is only a matter of time until a security breach of a similar magnitude takes place.
What makes the arrests of the Yahoo hackers so troubling was not the identity of Baratov, but rather the fact that his co-conspirators were FSB agents. In its official announcement of the breach, Yahoo mentioned that a “state actor” was involved, but did not initially disclose which state was implicated. Initially, Chinese hackers were suspected of being responsible.
Certainly, there is a precedent for hackers working for the Chinese government breaching databases in the United States. The most notorious incident was when two Chinese military officers, working alongside prominent business owner Su Bin, hacked sensitive information from major US military contractors and absconded with schematic designs for Lockheed Martin’s F-35 Joint Strike Fighter. Although the Yahoo account breach did not involve information as sensitive to national security as military equipment designs, the involvement of members of the Russian FSB should prove startling to people in the United States. Although there is no conclusive evidence, it has frequently been alleged that FSB-tied hackers leaked emails from Hillary Clinton’s presidential campaign in order to sabotage her credibility.
There is no reason to suspect that Baratov and his compatriots were targeting politically sensitive information, but the involvement of Russia’s secret service shows that agents of federal governments are actively involved in targeting the private information of hundreds of millions of people. Baratov’s motivation was almost certainly financial gain. The underlying reasons for the involvement of FSB agents are as of yet unknown.
Before overreacting to this information, readers would be well advised to understand the nuances of this incident. The primary factor in this case, was that Yahoo had notoriously lax cybersecurity standards. Edward Snowden even cited Yahoo as a frequent target for hackers due to its weak security features.
Yahoo CEO Marissa Mayer even denied her company’s security team additional funds to boost its security, citing financial constraints. High-ranking executives, including Mayer, may have known that their company was vulnerable, but opted to not take any meaningful action. While hackers, especially state-sponsored ones, are becoming bolder and more sophisticated, it is likely that Yahoo was hit hard because of run-of-the-mill corporate negligence.
What does this mean for the general public, who would understandably be nervous about storing personal information online? For this article, we spoke with Song Ho Ahn, a professor of Computer Science at Sheridan College. While explaining the nuances of cybersecurity, Ahn explained that while some servers have more competent security than others, no server is completely immune from being breached. For laypeople unacquainted with coding and encryption, he offered fairly straightforward advice: never use the same password twice, never click a link from an unfamiliar source, and keep the sharing of personal information at a premium.
Listen to the full interview with Song Ho Ahn here: