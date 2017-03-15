The severity of that breach, the second worst in internet history, was most likely magnified by the fact that it took some two years for Yahoo to disclose the initial attack. Had Yahoo taken more aggressive steps — for instance, asking users to change their passwords, or even expiring the passwords and forcing users to enter new ones — it might have prevented some of the damage.

Here's a look at how the breach occurred, according to U.S. officials.

USER ACCOUNTS

Hackers got their initial access to Yahoo's network around early 2014, although it's not clear exactly how. By the end of the year, they had made two valuable finds.

The first was a backup copy of Yahoo's user database, current as of early November 2014. That database contained information that could be used to reset passwords and gain entry to Yahoo accounts, including phone numbers, answers to security questions and recovery email addresses. Using the latter, services like Yahoo can send password reset links.

The database also contained cryptographically scrambled versions of user passwords, which Yahoo uses to verify users as they log in.

The second was an internal tool Yahoo used to access and edit information in the user database. Together, they allowed hackers to start unlocking Yahoo accounts at will.

FOOL ME ONCE, FOOL ME TWICE

In effect, hackers created a Yahoo skeleton key by fooling the service into thinking they had already signed into particular accounts, even if they didn't know their passwords. Web service providers typically use bits of data called cookies to let you stay signed into an account via a web browser. This is how you keep Gmail, for instance, open even if you close your browser and restart it.

The hackers used malware and the scrambled passwords in the user database to manufacture fake cookies. To Yahoo, it then appeared that the hacker was the authorized user, who was already logged in without entering a password.

That method worked so long as users didn't change their passwords after early November 2014. Hackers used this technique to target more than 6,500 user accounts.

BEYOND YAHOO

The hackers targeted employees of specific companies by searching the database for recovery emails that used employer domains, according to the indictment. For instance, if hackers had looked for employees from The Associated Press, they'd have searched for email addresses ending with ap.org.

Hackers also searched emails for the existence of other accounts controlled by the same user. Some were at Yahoo, others at Google's Gmail and other companies. The hackers could then send emails designed to dupe recipients into installing malware or providing passwords for those other accounts.