yahoo hack case study

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security
• Business Continuity
• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

Inside the Russian hack of Yahoo: How they did it

A single click was all it took to launch one of the biggest data breaches ever.

One mistaken click. That’s all it took for hackers aligned with the Russian state security service to gain access to Yahoo’s network and potentially the email messages and private information of as many as 500 million people.

Of course, that 2014 breach, was soon dwarfed by revelations of a second breach that took place a year earlier and which at the time was said to have compromised 1 billion Yahoo user accounts . On Tuesday, Yahoo said that, in fact, all 3 billion user accounts were affected.

The U.S. Federal Bureau of Investigation investigated the 2014 intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. In March 2017, the FBI indicted four people for the attack, two of whom are Russian spies.

Here’s how the FBI says they did it:

The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It’s unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.

Once Aleksey Belan, a Latvian hacker hired by the Russian agents, started poking around the network, he looked for two prizes: Yahoo’s user database and the Account Management Tool, which is used to edit the database. He soon found them.

So he wouldn’t lose access, he installed a backdoor on a Yahoo server that would allow him access, and in December he stole a backup copy of Yahoo’s user database and transferred it to his own computer.

The database contained names, phone numbers, password challenge questions and answers and, crucially, password recovery emails and a cryptographic value unique to each account.

It’s those last two items that enabled Belan and fellow commercial hacker Karim Baratov to target and access the accounts of certain users requested by the Russian agents, Dmitry Dokuchaev and Igor Sushchin.

A U.S. District Court endictment for four people accused of hacking Yahoo is seen against FBI wanted posters.

The account management tool didn’t allow for simple text searches of user names, so instead the hackers turned to recovery email addresses. Sometimes they were able to identify targets based on their recovery email address, and sometimes the email domain tipped them off that the account holder worked at a company or organization of interest.

Once the accounts had been identified, the hackers were able to use stolen cryptographic values called “nonces” to generate access cookies through a script that had been installed on a Yahoo server. Those cookies, which were generated many times throughout 2015 and 2016, gave the hackers free access to a user email account without the need for a password.

Throughout the process, Belan and his colleague were clinical in their approach. Of the roughly 500 million accounts they potentially had access to, they only generated cookies for about 6,500 accounts.

The hacked users included an assistant to the deputy chairman of Russia, an officer in Russia’s Ministry of Internal Affairs and a trainer working in Russia’s Ministry of Sports. Others belonged to Russian journalists, officials of states bordering Russia, U.S. government workers, an employee of a Swiss Bitcoin wallet company and a U.S. airline worker.

So clinical was the attack that when Yahoo first approached the FBI in 2014, it went with worries that 26 accounts had been targeted by hackers. It wasn’t until late August 2016 that the full scale of the breach began to become apparent and the FBI investigation significantly stepped up.

In December 2016, Yahoo went public with details of the breach and advised hundreds of millions of users to change their passwords.

More on the Yahoo breach:

• Yahoo execs botched its response to 2014 breach, investigation finds
• Here’s what you should know, and do, about the Yahoo breach
• Yahoo shows that breach impacts can go far beyond remediation expenses
• The massive Yahoo hack ranks as the world’s biggest — so far

Related content

The inside story of cyber command’s creation, sec rule for finance firms boosts disclosure requirements, ddos attacks: definition, examples, and techniques, fcc proposes bgp security measures, from our editors straight to your inbox.

Martyn Williams produces technology news and product reviews in text and video for PC World, Macworld, and TechHive from his home outside Washington D.C.. He previously worked for IDG News Service as a correspondent in San Francisco and Tokyo and has reported on technology news from across Asia and Europe.

More from this author

How to protect your google and facebook accounts with a security key, trump’s cybersecurity mystery: 90 days in, where’s the plan, trump extends obama executive order on cyberattacks, most popular authors.

• Microsoft Security

Show me more

Us ai experts targeted in cyberespionage using sugargh0st rat.

Cycode rolls out ASPM connector marketplace, analysts see it as bare minimum

BreachForums seized by law enforcement, admin Baphomet arrested

CSO Executive Sessions: The personality of cybersecurity leaders

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

CSO Executive Sessions: 2024 International Women's Day special

Sponsored Links

• Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

Trending News

Related Practices & Jurisdictions

• Communications, Media & Internet
• Securities & SEC
• Criminal Law / Business Crimes
• All Federal

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice's (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010.

The Yahoo Data Breaches

In December 2014, Yahoo's security team discovered that Russian hackers had obtained its "crown jewels"—the usernames, email addresses, phone numbers, birthdates, passwords and security questions/answers for at least 500 million Yahoo accounts. Within days of the discovery, according to the SEC, "members of Yahoo's senior management and legal teams received various internal reports from Yahoo's Chief Information Security Officer (CISO) stating that the theft of hundreds of millions of Yahoo users’ personal data had occurred." Yahoo's internal security team thereafter was aware that the same hackers were continuously targeting Yahoo's user database throughout 2015 and early 2016, and also received reports that Yahoo user credentials were for sale on the dark web.

In the summer of 2016, Yahoo was in negotiations with Verizon to sell its operating business. In response to due diligence questions about its history of data breaches, Yahoo gave Verizon a spreadsheet falsely representing that it was aware of only four minor breaches involving users’ personal information.  In June 2016, a new Yahoo CISO (hired in October 2015) concluded that Yahoo's entire database, including the personal data of its users, had likely been stolen by nation-state hackers and could be exposed on the dark web in the immediate future. At least one member of Yahoo's senior management was informed of this conclusion. Yahoo nonetheless failed to disclose this information to Verizon or the investing public. It instead filed the Verizon stock purchase agreement—containing an affirmative misrepresentation as to the non-existence of such breaches—as an exhibit to a July 25, 2016, Form 8-K, announcing the transaction. 

On September 22, 2016, Yahoo finally disclosed the 2014 data breach to Verizon and in a press release attached to a Form 8-K.  Yahoo's disclosure pegged the number of affected Yahoo users at 500 million.

The following day, Yahoo's stock price dropped by 3%, and it lost $1.3 billion in market capitalization. After Verizon declared the disclosure and data breach a "material adverse event" under the Stock Purchase Agreement, Yahoo agreed to reduce the purchase price by $350 million (a 7.25% reduction in price) and agreed to share liabilities and expenses relating to the breaches going forward.

Since September 2016, Yahoo has twice revised its data breach disclosure.  In December 2016, Yahoo disclosed that hackers had stolen data from 1 billion Yahoo users in August 2013, and had also forged cookies that would allow an intruder to access user accounts without supplying a valid password in 2015 and 2016. On March 1, 2017, Yahoo filed its 2016 Form 10-K, describing the 2014 hacking incident as having been committed by a "state-sponsored actor," and the August 2013 hacking incident by an "unauthorized third party."  As to the August 2013 incident, Yahoo stated that "we have not been able to identify the intrusion associated with this theft." Yahoo disclosed security incident expenses of $16 million ($5 million for forensics and $11 million for lawyers), and flatly stated: "The Company does not have cybersecurity liability insurance."

The same day, Yahoo's general counsel resigned as an independent committee of the Yahoo Board received an internal investigation report concluding that "[t]he 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident." The internal investigation found that "senior executives and relevant legal staff were aware [in late 2014] that a state-sponsored actor had accessed certain user accounts by exploiting the Company's account management tool."

The report concluded that "failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident." Yahoo's CEO, Marissa Mayer, also forfeited her annual bonus as a result of the report's findings.

On September 1, 2017, a California federal judge partially denied Yahoo's motion to dismiss the data breach class actions. Then, on October 3, 2017, Yahoo disclosed that all of its users (3 billion accounts) had likely been affected by the hacking activity that traces back to August 2013. During a subsequent hearing held in the consumer data breach class action, a Yahoo lawyer stated that the company had confirmed the new totals on October 2, 2017, based on further forensic investigation conducted in September 2017. That forensic investigation was prompted, Yahoo's counsel said, by recent information obtained from a third party about the scope of the August 2013 breach. As a result of the new disclosures, the federal judge granted the plaintiffs’ request to amend their complaint to add new allegations and causes of action, potentially including fraud claims and requests for punitive damages.

The SEC Breaks New Cybersecurity Ground

Just a month after issuing new interpretive guidance about public company disclosures of cyberattacks (see our Post and Alert ), the SEC has now issued its first cease-and-desist order and penalty against a public company for failing to disclose known cyber incidents in its public filings. The SEC's administrative order alleges that Yahoo violated Sections 17(a)(2) & (3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and related rules when its senior executives discovered a massive data breach in December 2014, but failed to disclose it until after its July 2016 merger announcement with Verizon.

During that two-year window, Yahoo filed a number of reports and statements with the SEC that misled investors about Yahoo's cybersecurity history. For instance, in its 2014-2016 annual and quarterly reports, the SEC found that Yahoo included risk factor disclosures stating that the company "faced the risk" of potential future data breaches, “without disclosing that a massive data breach had in fact already occurred.”

Yahoo management's discussion and analysis of financial condition and results of operation (MD&A) was also misleading, because it "omitted known trends and uncertainties with regard to liquidity or net revenue presented by the 2014 breach." Knowing full well of the massive breach, Yahoo nonetheless filed a July 2016 proxy statement relating to its proposed sale to Verizon that falsely denied knowledge of any such massive breach. It also filed a stock purchase agreement that it knew contained a material misrepresentation as to the non-existence of the data breaches.

Despite being informed of the data breach within days of its discovery, Yahoo's legal and management team failed to properly investigate the breach and made no effort to disclose it to investors. As the SEC described the deficiency, "Yahoo senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo's public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings to be misleading." Yahoo's in-house lawyers and management also did not share information with its auditors or outside counsel to assess disclosure obligations in public filings.

In announcing the penalty, SEC officials noted that Yahoo left "its investors totally in the dark about a massive data breach" for two years, and that "public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors." The SEC also noted that Yahoo must cooperate fully with its ongoing investigation, which may lead to penalties against individuals.

The First Hacker Faces Sentencing

Coincidentally, on the same day that the SEC announced its administrative order and penalty against Yahoo, one of the four hackers indicted for the Yahoo cyberattacks (and the only one in U.S. custody) appeared for sentencing before a U.S. District Judge in San Francisco. Karim Baratov, a 23-year-old hacker-for-hire, had been indicted in March 2017 for various computer hacking, economic espionage, and other offenses relating to the 2014 Yahoo intrusion.

His co-defendants, who remain in Russia, are two officers of the Russian Federal Security Service (FSB) and a Russian hacker who has been on the FBI's Cyber Most Wanted list since November 2013. The indictment alleges that the Russian intelligence officers used criminal hackers to execute the hacks on Yahoo's systems, and then to exploit some of that stolen information to hack into other accounts held by targeted individuals. 

Baratov is the small fish in the group. His role in the hacking conspiracy focused on gaining unauthorized access to non-Yahoo email accounts of individuals of interest identified through the Yahoo data harvest.  Unbeknownst to Baratov, he was doing the bidding of Russian intelligence officers, who did not disclose their identities to the hacker-for-hire. Baratov asked no questions in return for commissions paid on each account he compromised.

In November 2017, Baratov pled guilty to conspiracy to commit computer fraud and aggravated identity theft. He admitted that, between 2010 and 2017, he hacked into the webmail accounts of more than 11,000 victims, stole and sold the information contained in their email accounts, and provided his customers with ongoing access to those accounts. Baratov was indiscriminate in his hacking for hire, even hacking for a customer who appeared to engage in violence against targeted individuals for money. Between 2014 and 2016, he was paid by one of the Russian intelligence officers to hack into at least 80 webmail accounts of individuals of interest to Russian intelligence identified through the 2014 Yahoo incident. Baratov provided his handler with the contents of each account, plus ongoing access to the account.

The government is seeking eight years of imprisonment, arguing that Baratov "stole and provided his customers the keys to break into the private lives of targeted victims." In particular, the government cites the need to deter Baratov and other hackers from engaging in cybercrime-for-hire operations. The length of the sentence alone suggests that Baratov is not cooperating against other individuals. Baratov's lawyers have requested a sentence of no more than 45 months, stressing Baratov's unwitting involvement in the Yahoo attack as a proxy for Russian intelligence officers.

In a somewhat unusual move, the sentencing judge delayed sentencing and asked both parties to submit additional briefing discussing other hacking sentences. The judge expressed concern that the government's sentencing request was severe and that an eight-year term could create an "unwarranted sentencing disparity" with sentences imposed on other hackers.

The government is going to the mat for Baratov's victims.  On May 8, 2018, the government fired back in a supplemental sentencing memorandum that reaffirms its recommended sentence of 8 years of imprisonment. The memorandum contains an insightful summary of federal hacking sentences imposed on defendants, with similar records who engaged in similar conduct, between 2008 and 2018. The government surveys various types of hacking cases, from payment card breaches to botnets, banking Trojans and theft and exploitation of intimate images of victims.

The government points to U.S. Sentencing Guidelines Commission data showing that federal courts almost always have imposed sentences within the advisory Guidelines range on hackers who steal personal information and do not earn a government-sponsored sentence reduction (generally due to lack of cooperation in the government's investigation). The government also expands on the distinctions between different types of hacking conduct and how each should be viewed at sentencing. It focuses on Baratov's role as an indiscriminate hacker-for-hire, who targeted individuals chosen by his customers for comprehensive data theft and continuous surveillance. Considering all of the available data, the government presents a very persuasive argument that its recommended sentence of eight years of imprisonment is appropriate. Baratov's lawyers may now respond in writing, and sentencing is scheduled for May 29, 2018.

Lessons from the Yahoo Hacking Incidents and Responses

There are many lessons to be learned from Yahoo's cyber incident odyssey. Here are some of them:

The Criminal Conduct

Cybercrime as a service is growing substantially.

Nation-state cyber actors are using criminal hackers as proxies to attack private entities and individuals. In fact, the Yahoo fact pattern shows that the Russian intelligence services have been doing so since at least 2014.

Cyber threat actors—from nation-states to lone wolves – are targeting enormous populations of individuals for cyber intrusions, with goals ranging from espionage to data theft/sale, to extortion.

User credentials remain hacker gold, providing continued, unauthorized access to online accounts for virtually any targeted victim.

Compromises of one online account (such as a Yahoo account) often lead to compromises of other accounts tied to targeted individuals. Credential sharing between accounts and the failure to employ multi-factor authentication makes these compromises very easy to execute.

The Incident Responses

It's not so much about the breach, as it is about the cover up. Yahoo ran into trouble with the SEC, other regulators and civil litigants because it failed to disclose its data breaches in a reasonable amount of time. Yahoo's post-breach injuries were self-inflicted and could have been largely avoided if it had properly investigated, responded to, and disclosed the breaches in real time.

SEC disclosures in particular must account for known incidents that could be viewed as material for securities law purposes.  Speaking in the future tense about potential incidents will no longer be sufficient when a company has actual knowledge of significant cyber incidents.

Regulators are laying the foundation for ramped-up enforcement actions with real penalties. Like Uber with its recent FTC settlement, Yahoo received some leniency for being first in terms of the SEC's administrative order and penalty. The stage is now set and everyone is on notice of the type of conduct that will trigger an enforcement action. 

Yahoo was roundly applauded for its outstanding cooperation with law enforcement agencies investigating the attacks. These investigations go nowhere without extensive victim involvement. Yahoo stepped up in that regard, and that seems to have helped with the SEC, at least.

Lawyers must play a key role in the investigation and response to cyber incidents, and their jobs may depend on it. Cyber incident investigations are among the most complex types of investigations that exist. This is not an area for dabblers and rookies. Organizations need to hire in-house lawyers with actual experience and expertise in cybersecurity and cyber incident investigations.

Senior executives need to become competent in handling the crisis of cyber incident response. Yahoo's senior executives knew of the breaches well before they were disclosed. Why the delay? And who made the decision not to disclose in a timely fashion?

The failures of Yahoo's senior executives illustrate precisely why the board of directors now must play a critical role not just in proactive cybersecurity, but in overseeing the response to any major cyber incident. The board must check senior management when it makes the wrong call on incident disclosure.

The Litigation

Securities fraud class actions may fare much better than consumer data breach class actions. The significant stock drop coupled with the clear misrepresentations about the material fact of a massive data breach created a strong securities class action that led to an $80 million settlement.  The lack of financial harm to consumers whose accounts were breached is not a problem for securities fraud plaintiffs.

Consumer data breach class actions are more routinely going to reach the discovery phase. The days of early dismissals for lack of standing are disappearing quickly.  This change will make the proper internal investigation into incidents and each step of the response process much more critical.

Although the jury is still out on how any particular federal judge will sentence a particular hacker, the data is trending in a very positive direction for victims. At least at the federal level, hacks focused on the exploitation of personal information are being met with stiff sentences in many cases. A hacker’s best hope is to earn government-sponsored sentencing reductions due to extensive cooperation. This trend should encourage hacking victims (organizations and individuals alike) to report these crimes to federal law enforcement and to cooperate in the investigation and prosecution of the cybercriminals who attack them.

Even if a particular judge ultimately goes south on a government-requested hacking sentence, the DOJ's willingness to fight hard for a substantial sentence in cases such as this one sends a strong signal to the private sector that victims will be taken seriously and protected if they work with the law enforcement community to combat significant cybercrime activity.

Current Legal Analysis

More from ballard spahr llp, upcoming legal education events.

Sign Up for e-NewsBulletins

To revisit this article, visit My Profile, then View saved stories .

• Backchannel
• Newsletters
• WIRED Insider
• WIRED Consulting

Lily Hay Newman

Yahoo's 2013 Email Hack Actually Compromised Three Billion Accounts

When Yahoo disclosed in December that a billion (yes, billion) of its users' accounts had been compromised in an August 2013 breach, it came as a staggering revelation. Now, 10 months later, the company would like to make a correction: That incident actually exposed three billion accounts—every Yahoo account that existed at the time.

On the one hand, this new information doesn't really change things in a practical sense, because the initial billion account estimate was already enormous—you could safely assume you were impacted—and Yahoo took protective steps for all users in December, like resetting passwords and unencrypted security questions. On the other hand, three billion accounts .

"They are as big as it gets," says Jeremiah Grossman, who worked as an information security officer at Yahoo for two years in the early 2000s and is now the chief of security strategy at SentinelOne. "Maybe Google or maybe Facebook, but the next mega-breach is not going to be orders of magnitude bigger.""

In this case, it took Yahoo three years to discover and disclose the breach, and almost four years to complete the investigation. And let's not confuse all of that with a separate Yahoo breach perpetrated in late 2014, and not disclosed until September 2016, that impacted 500 million accounts. That alone still holds as the second-biggest known breach of all time, in terms of impacted users. (One could argue that the recent Equifax breach , which impacted 145.5 million people, will ultimately have greater negative overall impact because of the particular sensitivity of the data involved.)

The most recent disclosure also comes after Yahoo's recent acquisition by Verizon and subsequent merger with AOL. Disclosing two enormous breaches back to back at the end of 2016 put a strain on the acquisition process, and even reportedly led Verizon to demand a price reduction.

Even though three billion sounds like a dramatic number, Grossman argues that it shouldn't come as a surprise. "To everybody on the outside, it looked to us when we originally read all the information that [the breach] must have impacted all the accounts," he says. The attackers "got so deep in the system, I couldn’t imagine why certain accounts would have been affected and not others."

Yahoo published information about the revision on its Account Security Update page , attempting to clarify the timeline of events. "Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft," the company wrote.

The update from Yahoo is a new high—that is to say, a new low—in terms of mega-breach scale. Think of it this way: On Monday, Equifax faced warranted criticism when it revised the number of people affected by its massive data breach from 143 million to 145.5 million. Yahoo's adjustment weighs in at 800 times that. The silver lining, one imagines, is that it quite literally can't get any worse.

Brian Barrett

Brendan I. Koerner

Steven Levy

Scott Gilbertson

Dhruv Mehrotra

Matt Burgess

Dell Cameron

Max Blaisdell

Eric Geller

Stephen Clark, Ars Technica

Andy Greenberg

An official website of the United States government

Here's how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

• The Attorney General
• Organizational Chart
• Budget & Performance
• Privacy Program
• Press Releases
• Photo Galleries
• Guidance Documents
• Publications
• Information for Victims in Large Cases
• Justice Manual
• Business and Contracts
• Why Justice ?
• DOJ Vacancies
• Legal Careers at DOJ
• Our Offices

Archived Press Releases

Archived News

Para Notícias en Español

U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts

A grand jury in the Northern District of California has indicted four defendants, including two officers of the Russian Federal Security Service (FSB), for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts. The defendants are Dmitry Aleksandrovich Dokuchaev, 33, a Russian national and resident; Igor Anatolyevich Sushchin, 43, a Russian national and resident; Alexsey Alexseyevich Belan, aka “Magg,” 29, a Russian national and resident; and Karim Baratov, aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22, a Canadian national and a resident of Canada.

The defendants used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies. One of the defendants also exploited his access to Yahoo’s network for his personal financial gain, by searching Yahoo user communications for credit card and gift card account numbers, redirecting a subset of Yahoo search engine web traffic so he could make commissions and enabling the theft of the contacts of at least 30 million Yahoo accounts to facilitate a spam campaign.

The charges were announced by Attorney General Jeff Sessions of the U.S. Department of Justice, Director James Comey of the FBI, Acting Assistant Attorney General for National Security Mary McCord, U.S. Attorney Brian Stretch for the Northern District of California and Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

“Cyber crime poses a significant threat to our nation’s security and prosperity, and this is one of the largest data breaches in history,” said Attorney General Sessions. “But thanks to the tireless efforts of U.S. prosecutors and investigators, as well as our Canadian partners, today we have identified four individuals, including two Russian FSB officers, responsible for unauthorized access to millions of users’ accounts. The United States will vigorously investigate and prosecute the people behind such attacks to the fullest extent of the law.”

“Today we continue to pierce the veil of anonymity surrounding cyber crimes,” said Director Comey. “We are shrinking the world to ensure that cyber criminals think twice before targeting U.S. persons and interests.”

“ The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cybercrime matters, is beyond the pale,” said Acting Assistant Attorney General McCord. “Once again, the Department and the FBI have demonstrated that hackers around the world can and will be exposed and held accountable. State actors may be using common criminals to access the data they want, but the indictment shows that our companies do not have to stand alone against this threat. We commend Yahoo and Google for their sustained and invaluable cooperation in the investigation aimed at obtaining justice for, and protecting the privacy of their users.”

 “ This is a highly complicated investigation of a very complex threat. It underscores the value of early, proactive engagement and cooperation between the private sector and the government,” said Executive Assistant Director Abbate. “The FBI will continue to work relentlessly with our private sector and international partners to identify those who conduct cyber-attacks against our citizens and our nation, expose them and hold them accountable under the law, no mat ter where they attempt to hide.”

 “Silicon Valley’s computer infrastructure provides the means by which people around the world communicate with each other in their business and personal lives. The privacy and security of those communications must be governed by the rule of law, not by the whim of criminal hackers and those who employ them. People rightly expect that their communications through Silicon Valley internet providers will remain private, unless lawful authority provides otherwise. We will not tolerate unauthorized and illegal intrusions into the Silicon Valley computer infrastructure upon which both private citizens and the global economy rely,” said U.S. Attorney Stretch. “Working closely with Yahoo and Google, Department of Justice lawyers and the FBI were able to identify and expose the hackers responsible for the conduct described today, without unduly intruding into the privacy of the accounts that were stolen. We commend Yahoo and Google for providing exemplary cooperation while zealously protecting their users’ privacy.”

Summary of Allegations

According to the allegations of the Indictment:

The FSB officer defendants, Dmitry Dokuchaev and Igor Sushchin, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the U.S. and elsewhere. In the present case, they worked with co-defendants Alexsey Belan and Karim Baratov to obtain access to the email accounts of thousands of individuals.

Belan had been publicly indicted in September 2012 and June 2013 and was named one of FBI’s Cyber Most Wanted criminals in November 2013. An Interpol Red Notice seeking his immediate detention has been lodged (including with Russia) since July 26, 2013. Belan was arrested in a European country on a request from the U.S. in June 2013, but he was able to escape to Russia before he could be extradited.

Instead of acting on the U.S. government’s Red Notice and detaining Belan after his return, Dokuchaev and Sushchin subsequently used him to gain unauthorized access to Yahoo’s network. In or around November and December 2014, Belan stole a copy of at least a portion of Yahoo’s User Database (UDB), a Yahoo trade secret that contained, among other data, subscriber information including users’ names, recovery email accounts, phone numbers and certain information required to manually create, or “mint,” account authentication web browser “cookies” for more than 500 million Yahoo accounts.

Belan also obtained unauthorized access on behalf of the FSB conspirators to Yahoo’s Account Management Tool (AMT), which was a proprietary means by which Yahoo made and logged changes to user accounts. Belan, Dokuchaev and Sushchin then used the stolen UDB copy and AMT access to locate Yahoo email accounts of interest and to mint cookies for those accounts, enabling the co-conspirators to access at least 6,500 such accounts without authorization.

Some victim accounts were of predictable interest to the FSB, a foreign intelligence and law enforcement service, such as personal accounts belonging to Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of other providers whose networks the conspirators sought to exploit. However, other personal accounts belonged to employees of commercial entities, such as a Russian investment banking firm, a French transportation company, U.S. financial services and private equity firms, a Swiss bitcoin wallet and banking firm and a U.S. airline.

During the conspiracy, the FSB officers facilitated Belan’s other criminal activities, by providing him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by U.S. and other law enforcement agencies outside Russia, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers. Additionally, while working with his FSB conspirators to compromise Yahoo’s network and its users, Belan used his access to steal financial information such as gift card and credit card numbers from webmail accounts; to gain access to more than 30 million accounts whose contacts were then stolen to facilitate a spam campaign; and to earn commissions from fraudulently redirecting a subset of Yahoo’s search engine traffic.

When Dokuchaev and Sushchin learned that a target of interest had accounts at webmail providers other than Yahoo, including through information obtained as part of the Yahoo intrusion, they tasked their co-conspirator, Baratov, a resident of Canada, with obtaining unauthorized access to more than 80 accounts in exchange for commissions. On March 7, the Department of Justice submitted a provisional arrest warrant to Canadian law enforcement authorities, requesting Baratov’s arrest. On March 14, Baratov was arrested in Canada and the matter is now pending with the Canadian authorities.

An indictment is merely an accusation, and a defendant is presumed innocent unless proven guilty in a court of law.

The FBI, led by the San Francisco Field Office, conducted the investigation that resulted in the charges announced today. The case is being prosecuted by the U.S. Department of Justice National Security Division’s Counterintelligence and Export Control Section and the U.S. Attorney’s Office for the Northern District of California, with support from the Justice Department’s Office of International Affairs.

Defendants: At all times relevant to the charges, the Indictment alleges as follows:

• Dmitry Aleksandrovich Dokuchaev , 33, was an officer in the FSB Center for Information Security, aka “Center 18.” Dokuchaev was a Russian national and resident.
• Igor Anatolyevich Sushchin , 43, was an FSB officer, a superior to Dokuchaev within the FSB, and a Russian national and resident. Sushchin was embedded as a purported employee and Head of Information Security at a Russian investment bank.
• Alexsey Alexseyevich Belan , aka “Magg,” 29, was born in Latvia and is a Russian national and resident. U.S. Federal grand juries have indicted Belan twice before, in 2012 and 2013, for computer fraud and abuse, access device fraud and aggravated identity theft involving three U.S.-based e-commerce companies and the FBI placed Belan on its “Cyber Most Wanted” list.  Belan is currently the subject of a pending “Red Notice” requesting that Interpol member nations (including Russia) arrest him pending extradition. Belan was also one of two criminal hackers named by President Barack Obama on Dec. 29, 2016, pursuant to Executive Order 13694, as a Specially Designated National subject to sanctions.
• Karim Baratov , aka “Kay,” “Karim Taloverov” and “Karim Akehmet Tokbergenov,” 22. He is a Canadian national and a resident of Canada.

Victims: Yahoo; more than 500 million Yahoo accounts for which account information about was stolen by the defendants; more than 30 million Yahoo accounts for which account contents were accessed without authorization to facilitate a spam campaign; and at least 18 additional users at other webmail providers whose accounts were accessed without authorization.

Time Period: As alleged in the Indictment, the conspiracy began at least as early as 2014 and, even though the conspirators lost their access to Yahoo’s networks in September 2016, they continued to utilize information stolen from the intrusion up to and including at least December 2016.

The language of this release was updated to reflect the current citizenship of Karim Baratov.

Dmitri Dokuchae et al Indictment Redacted

Related Content

The Justice Department today filed a forfeiture complaint against a set of aircraft landing gear for a Boeing 737-800 that was detained in September 2023 at Miami International Airport by...

John Murray Rowe Jr., 65, of Lead, South Dakota, pleaded guilty in federal court today to one count of attempted delivery of national defense information to a foreign government, and...

Jareh Sebastian Dalke, 32, of Colorado Springs, was sentenced today to 262 months in prison for attempted espionage in connections with his efforts to transmit classified National Defense Information (NDI)...

Yahoo has had a years-long history of both data breaches and cases where hackers break into systems but do not take anything.

The collective hacks have led to a settlement in which affected parties can participate. Here is what this article will help you know:

What happened?

How did yahoo respond, what should cisos learn from this breach.

• What should you know about the settlement?
• Breaches are increasingly prevalent threats.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

According to the website for the Yahoo data breach settlement , the company’s cyber security issues contained in this matter extended from 2012 to 2016. But, the information gets more specific and says data breaches involving stolen information occurred from 2013 and 2016, while so-called data security intrusions (where an infiltration happened without those responsible taking data) happened from at least January-April 2012.

Then, cybercriminals did not take the same kind of data in every case or behave the same way. For example, in 2012, two separate hackers broke into Yahoo's online infrastructure without taking anything.

The next year, cybercriminals behaved maliciously when they took records from all of Yahoo's accounts, which totaled about 3 billion . In that instance, the information seized by the hackers could have allowed them to access things like users' email accounts and calendars.

In 2014, hackers directly targeted Yahoo's user database, affecting about 500 million people. The cybercriminals reportedly got account details such as people's names, email addresses, passwords, phone numbers and birthdays.

Become a Cyber Security Hub member and gain exclusive access to our upcoming digital events, industry reports and expert webinars

The aftermath of that event continued for years later, sparking increased public awareness both about these breaches and the respective cyber security laws and regulations. It was not until 2018 that news broke about Yahoo's shell company receiving a $35 mn fine for failing to disclose the 2014 incident.

The final cyber security matter addressed by the settlement happened from 2015 to September 2016. In that instance, hackers used cookies to break into the accounts of about 32 million individuals.

Unfortunately, Yahoo failed to issue the kind of sweeping statement you might expect to give the public reassurance that the company has recommitted itself to cyber security in meaningful ways. Instead, the brand has a section on its website devoted to security notices . There, you can find the data breach notices that Yahoo sent to its users in September 2016, December 2016 and October 2017.

Here is a breakdown of what Yahoo pledged to do to stop future incidents in each case:

• Invalidated unencrypted security questions and answers
• Continually enhancing the systems that detect and prevent unauthorized access
• Required all affected and unaffected users to change their passwords

Yahoo's statements mentioned the company was working with law enforcement officials, but the documents did not give concrete details about the status of the investigations. The company did briefly reveal that a state-sponsored party may have been behind the 2014 issue.

Verizon Communications Inc., of which Yahoo is now a part, also promised to spend $306 mn between 2019 and 2022 to improve Yahoo's cyber security, which is five times more than what Yahoo itself spent between 2013 and 2016. Verizon also indicated it would quadruple Yahoo's IT staff.

See Related: Telling the cautionary tales of cyber crime

The Yahoo data breach was, in part, as bad as it was because of poor security practices. Hackers gained access to Yahoo’s network through the use of a phishing scheme. All it took was one employee with network access clicking on a malicious link for a hacker to get through. Once in, the hackers were able to guarantee their continued access to the network. Also, some confidential data — including security questions and answers — was stored unencrypted by Yahoo.

CISOs should prepare for attacks that use social engineering just as much as brute-force attacks. This will require CISOs to provide some level of cyber security education to non-cyber security and non-tech savvy staff. CISOs should also ensure that basic security measures — like the encryption of identifying information — are in place.

What should you Know about the settlement?

In April 2019, Yahoo agreed to a $117.5 mn settlement associated with the above incidents, which affected about three billion people. According to an article from Reuters, it covers approximately 896 million accounts belonging to as many as 194 million people in the US and Israel.

Breaches are increasingly prevalent threats

The frequent news of breaches is enough to make people think that they are at risk by using the internet in any way. Although it took a while for sufficient corrective action to happen in Yahoo's case, that is hopefully changing now.

See Related: Top 5 cyber security breaches of 2019 

FIND CONTENT BY TYPE

• Case Studies
• White Papers

Cyber Security Hub COMMUNITY

• Advertise with us
• Cookie Policy
• User Agreement
• Become a Contributor
• All Access from CS Hub
• Become a Member Today
• Media Partners

ADVERTISE WITH US

Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Cyber Security Hub, a division of IQPC

Careers With IQPC | Contact Us | About Us | Cookie Policy

Become a Member today!

PLEASE ENTER YOUR EMAIL TO JOIN FOR FREE

Already an IQPC Community Member? Sign in Here or Forgot Password Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.

We respect your privacy, by clicking 'Subscribe' you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here . You can unsubscribe at any time.

The Yahoo Breaches of 2013 and 2014

• First Online: 25 February 2021

Cite this chapter

• Neil Daswani 3 &
• Moudy Elbayadi 4  

1813 Accesses

1 Citations

In 2016, Yahoo disclosed to the public that it had been breached in 2014. Yahoo’s 2014 breach exposed the names, email addresses, telephone numbers, birthdates, “hashed” passwords, and, in some cases, security questions of over 500 million users. While investigating the breach of 2014, Yahoo discovered that the company had been separately breached in 2013. Yahoo initially reported that the 2013 breach affected over one billion users while it was in the process of getting acquired by Verizon. In October 2017, after its acquisition by Verizon was complete, Yahoo reported that the 2013 breach affected all three billion users. Figure 7-1 shows a timeline of these breaches and the major events that occurred after the breaches. Yahoo was questioned and criticized for disclosing the breaches two to three years after they occurred. During a Senate hearing that took place in the aftermath of the breaches, frustrated Senator Thune of South Dakota asked former Yahoo CEO Marissa Mayer, “Why the delay in disclosing it? I mean it took from 2013, three years.”

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Available as EPUB and PDF
• Read on any device
• Instant download
• Own it forever
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Source: https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users

Source: www.commerce.senate.gov/2017/11/executive-session

www.sec.gov/Archives/edgar/data/1011006/000119312517065791/d293630d10k.htm

Passwords in Yahoo’s systems were hashed using the bcrypt algorithm described in “A Future-Adaptable Password Scheme” by Niels Provos and David Mazieres, published in the 1999 USENIX Annual Technical Conference and MD5, the Message Digest algorithm described in IETF RFC 1321.

More information about how password security systems should be architected can be found in Chapter 9 of Foundations of Security by Neil Daswani, Christoph Kern, and Anita Kesavan (Apress, 2007).

www.sec.gov/news/press-release/2018-71

Many websites will also send your browser a cookie before you log in, but the specific type of cookie that we are referring to here is an authentication cookie as opposed to a tracking cookie.

The name nonce comes from the fact that it is a number that should be used only once .

See Chapter 2 , Section 6 of Foundations of Security , on “Security by Obscurity” by Neil Daswani, Christoph Kern, and Anita Kesavan (Apress, 2007).

www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html

Author information

Authors and affiliations.

Pleasanton, CA, USA

Neil Daswani

Carlsbad, CA, USA

Moudy Elbayadi

You can also search for this author in PubMed   Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Neil Daswani and Moudy Elbayadi

About this chapter

Daswani, N., Elbayadi, M. (2021). The Yahoo Breaches of 2013 and 2014. In: Big Breaches. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-6655-7_7

Download citation

DOI : https://doi.org/10.1007/978-1-4842-6655-7_7

Published : 25 February 2021

Publisher Name : Apress, Berkeley, CA

Print ISBN : 978-1-4842-6654-0

Online ISBN : 978-1-4842-6655-7

eBook Packages : Professional and Applied Computing Apress Access Books Professional and Applied Computing (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

• Election 2024
• Entertainment
• Newsletters
• Photography
• Personal Finance
• AP Investigations
• AP Buyline Personal Finance
• AP Buyline Shopping
• Press Releases
• Israel-Hamas War
• Russia-Ukraine War
• Global elections
• Asia Pacific
• Latin America
• Middle East
• Election Results
• Delegate Tracker
• AP & Elections
• Auto Racing
• 2024 Paris Olympic Games
• Movie reviews
• Book reviews
• Personal finance
• Financial Markets
• Business Highlights
• Financial wellness
• Artificial Intelligence
• Social Media

Russian agents, hackers charged in massive Yahoo breach

• Copy Link copied

WASHINGTON (AP) — Two Russian intelligence agents and a pair of hired hackers have been charged in a devastating criminal breach at Yahoo that affected at least a half billion user accounts, the Justice Department said Wednesday in bringing the first case of its kind against current Russian government officials.

In a scheme that prosecutors say blended intelligence gathering with old-fashioned financial greed, the four men targeted the email accounts of Russian and U.S. government officials, Russian journalists and employees of financial services and other private businesses, U.S. officials said.

Using in some cases a technique known as “spear-phishing” to dupe Yahoo users into thinking they were receiving legitimate emails, the hackers broke into at least 500 million accounts in search of personal information and financial data such as gift card and credit card numbers, prosecutors said.

“We will not allow individuals, groups, nation states or a combination of them to compromise the privacy of our citizens, the economic interests of our companies or the security of our country,” said Acting Assistant Attorney General Mary McCord, the head of the Justice Department’s national security division.

The case, announced amid continued U.S. intelligence agency skepticism of their Russian counterparts, comes as U.S. authorities investigate Russian interference through hacking in the 2016 presidential election. Officials said those investigations are separate.

One of the Yahoo-related defendants, a Canadian and Kazakh national named Karim Baratov, has been taken into custody in Canada. Another, Alexsey Belan, is on the list of the FBI’s most wanted cyber criminals and has been indicted multiple times in the U.S. It’s not clear whether he or the other two defendants, Dmitry Dokuchaev and Igor Sushchin, will ever step foot in an American courtroom since there’s no extradition treaty with Russia.

“I hope they will respect our criminal justice system,” McCord said.

The indictment identifies Dokuchaev and Sushchin as officers of the Russian Federal Security Service, or FSB. Belan and Baratov were paid hackers directed by the FSB to break into the accounts, prosecutors said.

Dokuchaev has been in custody in Russia since his arrest on treason charges in December, along with his superior and several others. Russian media have reported that Dokuchaev and his superior were accused of passing sensitive information to the CIA. The media reports also have contended that Dokuchaev was arrested by the FSB several years ago and offered a choice: serve a long prison sentence on hacking charges or sign a contract to work for the agency.

The FSB hasn’t commented, and the Justice Department did not confirm that.

Yahoo didn’t disclose the breach until last September when it began notifying hundreds of millions of users that their email addresses, birth dates, answers to security questions and other personal information may have been stolen. Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about 1 billion accounts, including some that were also hit in 2014.

U.S. officials said it was especially galling that the scheme involved officers from a Russian counterespionage service that theoretically should be working collaboratively with its FBI counterparts.

“Rather than do that type of work, they actually turned against that type of work,” McCord said.

Paul Abbate, an FBI executive assistant director, said the bureau had had only “limited cooperation with that element of the Russian government in the past,” noting that prior U.S. demands to turn over Belan had been ignored.

Though the U.S. government has previously charged individual Russian hackers with cybercrime — as well as hackers directly linked to the Chinese and Iranian governments — this is the first criminal case to name as defendants sitting members of the FSB for hacking charges, the Justice Department said.

U.S. intelligence authorities have concluded that Russian intelligence agencies were behind hacking efforts of Democratic email accounts in last year’s election. Officials say this case is separate from that investigation, though one of the defendants in the Yahoo case, Belan, was among the Russians sanctioned last year by the Obama administration.

The indictment, which includes charges of economic espionage, trade secret theft and unauthorized access to protected computers, arise from a compromise of Yahoo user accounts that began at least as early as 2014.

The Justice Department’s assertion that the FSB was directing the hacking likely provides political and legal cover for Yahoo, which saw its multibillion-dollar deal with Verizon teeter after it was forced to warn consumers that their private information might have been exposed.

Companies are more likely to be blamed for security incompetence when their networks are compromised by thieves or wayward teenagers than when they become the targets of sophisticated espionage carried out by foreign governments.

In a statement, Chris Madsen, Yahoo’s assistant general counsel and head of global security, thanked law enforcement agencies for their work.

“We’re committed to keeping our users and our platforms secure and will continue to engage with law enforcement to combat cybercrime,” he said.

Rich Mogull, CEO of the security firm Securosis, said the indictment “shows the ties between the Russian security service and basically the criminal underground,” something that had been “discussed in security circles for years.”

Cyber criminals gave Russian officials access to specific accounts they were targeting, and in return, Russian officials helped the criminals to evade authorities and let them keep the type of information that hackers that hack for money tend to exploit such as email addresses and logins and credit card information.

“We’ve come to expect that you don’t really figure out who performs these attacks,” Mogull said. The fact that the indictment ties together the FSB and criminals is a new development, he said. “It will be very interesting to see what comes up in court, and how they tie those two together.”

AP writers Howard Amos in Moscow, Ted Bridis in Washington, Michael Liedtke in San Francisco and Mae Anderson in New York contributed to this report.

Follow Eric Tucker at http://www.twitter.com/etuckerAP

Watch CBS News

Yahoo hack: Yahoo says hackers stole data from more than 1 billion user accounts

Updated on: December 14, 2016 / 10:08 PM EST / CBS/AP

SAN FRANCISCO -- Yahoo has discovered a 3-year-old security breach that enabled a hacker to compromise more than 1 billion user accounts, breaking the company’s own humiliating record for the biggest security breach in history.

The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago. That breach affected at least 500 million users , which had been the most far-reaching hack until the latest revelation.

In a statement, Yahoo said they believe “some of this activity to the same state-sponsored actor” responsible for the Sept. hack. 

Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies,” the statement reads. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies.”       

“It’s shocking,” security expert Avivah Litan of Gartner Inc. 

• CNET: How to find out if you’re at risk in Yahoo hack

Both lapses occurred during the reign of  Yahoo CEO Marissa Mayer , a once-lauded leader who found herself unable to turn around the company in the four years since her arrival. Earlier this year, Yahoo agreed to sell its digital operations to Verizon Communications for $4.8 billion — a deal that may now be imperiled by the hacking revelations.   

Two hacks, more than 1 billion accounts 

Yahoo didn’t say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn’t been able to identify the source behind the 2013 intrusion. 

Yahoo has more than a billion monthly active users, although some have multiple accounts and others have none at all. An unknown number of accounts were affected by both hacks. 

In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected. 

But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.

That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password and questions since September.)

Security experts said the 2013 attack was likely the work of a foreign government fishing for information about specific people. One big tell: It doesn’t appear that much personal data from Yahoo accounts has been posted for sale online, meaning the hack probably wasn’t the work of ordinary criminals.

That means most Yahoo users probably don’t have anything to worry about, said J.J. Thompson, CEO of Rook Security.

Questions for Verizon

News of the additional hack further jeopardizes Yahoo’s plans to fall into Verizon’s arms. If the hacks cause a user backlash against Yahoo, the company’s services wouldn’t be as valuable to Verizon, raising the possibility that the sale price might be re-negotiated or the deal may be called off. The telecom giant wants Yahoo and its many users to help it build a digital ad business.

After the news of the first hack broke, Verizon said it would re-evaluate its Yahoo deal and in a Wednesday statement said it will review the “new development before reaching any final conclusions.” Spokesman Bob Varettoni declined to answer further questions.

At the very least, the security lapses “definitely will help Verizon in its negotiations to lower the price,” Litan predicted. Yahoo has argued that news of the 2014 hack didn’t negatively affect traffic to its services, strengthening its contention that the Verizon deal should be completed under the original terms.

“This just adds to fuel to the fire and it won’t help Yahoo’s cause,” said Eric Jackson, a longtime critic of the company’s management. Although he has in the past, Jackson doesn’t currently own Yahoo stock.

Investors appeared worried about the Verizon deal. Yahoo’s shares fell 96 cents, or 2 percent, to $39.95 after the disclosure of the latest hack. 

More from CBS News

4 cold case murders in Canada linked to U.S. serial rapist

TikTok says it's testing letting users post 60-minute videos

U.S. troops to complete withdrawal from Niger by mid-September, Pentagon says

Hungary's far-right PM Viktor Orbán has made "some smart decisions," Sen. J.D. Vance says

• Share full article

Advertisement

Supported by

Russian Agents Were Behind Yahoo Hack, U.S. Says

By Vindu Goel and Eric Lichtblau

• March 15, 2017

SAN FRANCISCO — The Justice Department charged two Russian intelligence officers on Wednesday with directing a sweeping criminal conspiracy that stole data on 500 million Yahoo accounts in 2014, deepening the rift between American and Russian authorities on cybersecurity.

The Russian government used the information obtained by the intelligence officers and two other men to spy on a range of targets, from White House and military officials to executives at banks, two American cloud computing companies, an airline and even a gambling regulator in Nevada, according to an indictment . The stolen data was also used to spy on Russian government officials and business executives, federal prosecutors said.

Russians have been accused of other cyberattacks on the United States — most notably the theft of emails last year from the Democratic National Committee. But the Yahoo case is the first time that federal prosecutors have brought cybercrime charges against Russian intelligence officials, according to the Justice Department.

Particularly galling to American investigators was that the two Russian intelligence agents they say directed the scheme, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, worked for an arm of Russia’s Federal Security Service, or F.S.B., that is supposed to help foreign intelligence agencies catch cybercriminals. Instead, the officials helped the hackers avoid detection.

“The involvement and direction of F.S.B. officers with law enforcement responsibilities makes this conduct that much more egregious,” said Mary B. McCord, the acting assistant attorney general, at a news conference in Washington to announce the charges.

The two other men named in the indictment include a Russian hacker already indicted in connection with three other computer network intrusions and a Kazakh national living in Canada. One of the hackers also conducted an extensive spamming operation, stole credit and gift card information, and diverted Yahoo users looking for erectile dysfunction drugs to a particular pharmacy.

Yahoo Says It Was Hacked. Here’s How to Protect Yourself.

Simple tips to follow if you think your personal information online has been exposed to hackers.

Nikolay Lakhonin, a spokesman for the Russian embassy in Washington, said that Moscow had no “official reaction” to the indictments. But Mr. Lakhonin did point a reporter to two articles posted Wednesday in the Russian-sponsored Sputnik News that were openly skeptical of the charges. One was headlined “Yahoo Hack: What US Mainstream Media Don’t Tell You About Russian ‘Spy.’”

Indeed, one of the two Russian intelligence agents indicted in the Yahoo case, Mr. Dokuchaev, was arrested in early December in what amounted to a purge of the Center for Information Security, the cyberwing of the F.S.B. Mr. Dokuchaev, who was reportedly a former hacker recruited to work in the F.S.B. at least seven years ago, and a fellow officer were accused of treason for passing secret information to the United States.

United States officials said Wednesday that they were not certain if the Dmitry Dokuchaev arrested in December was the same man as the one named in the indictment.

The Justice Department’s 47-count indictment , which was filed under seal in Federal District Court in San Francisco on Feb. 28, immediately threatened to escalate diplomatic tensions over Russia’s meddling in the November election.

“The indictments are intended to be a clear, public signal of what we will not accept,” said James A. Lewis, a cybersecurity expert at the Center for Strategic Studies, a research organization in Washington. “If you’re one of these people, you can’t leave Russia. You know you’ve been caught. There is an Interpol warrant out for your arrest.”

Karim Baratov is the only one of the accused hackers who has been arrested in connection with the case. He was captured by the authorities in Canada on Tuesday. The chances of the United States taking the other three into custody any time soon appear slim, especially because the United States has no extradition treaty with Russia.

Indictment in Yahoo Data Breach

Four men, including two Russian intelligence agents, face 47 criminal charges, including conspiracy, computer fraud, economic espionage, theft of trade secrets and aggravated identity theft.

The fourth person involved in the scheme, a Russian named Alexsey Belan, had been indicted twice before for three intrusions into American e-commerce companies. At one point, he was arrested in Europe, but he escaped to Russia before he could be extradited. Prosecutors said they had repeatedly asked the Russian government to hand over Mr. Belan but had gotten no response.

Nonetheless, officials said that they believe criminal charges serve as a powerful tool to deter cyberattacks. For example, they said, China’s hacking against United States targets decreased after charges were brought against five military officials there in 2014 over damaging attacks against government and private-sector systems.

The action on Wednesday was the latest in a series of criminal prosecutions that American officials have brought since 2014 against cyberattackers who they charge were acting on behalf of foreign governments, including China, North Korea, and Iran.

Yahoo disclosed the theft of its data in September and said it was working with the law enforcement authorities to trace the perpetrators. The hackers were able to use the stolen information, which included personal data as well as encrypted passwords, to create a tool that gave them access to 32 million accounts over a period of two years.

In a statement on Wednesday, Yahoo thanked the F.B.I. and the Justice Department for their work.

Jack Bennett, the special agent in charge of the F.B.I.’s San Francisco office, said that his investigators had worked on the case for two years, although the inquiry intensified last year.

It remains unclear why Yahoo users were not informed about the hack during that time. An internal investigation by the company’s board found that some senior executives and information security personnel were aware of the breach shortly after it occurred but “failed to properly comprehend or investigate” the situation. Two weeks ago, the company’s top lawyer, Ronald S. Bell, resigned over the episode , and its chief executive, Marissa Mayer, lost her 2016 bonus and 2017 stock compensation.

How Many Times Has Your Personal Information Been Exposed to Hackers?

Find out which parts of your identity may have been stolen in major hacking attacks over the last several years.

Mr. Bennett said the F.B.I. was still investigating a separate, larger breach of one billion Yahoo accounts that occurred in 2013 but was disclosed by the company only three months ago. Yahoo has said it has not been able to glean much information about that attack, which was uncovered by InfoArmor , an Arizona security firm.

The two thefts, the largest known breaches of a private company’s computer systems, had threatened to scuttle a deal that Yahoo struck last summer to sell its internet businesses to Verizon Communications. Verizon sought to shave $925 million from the original $4.8 billion deal following news of the attacks, but last month, the two companies finally agreed to a $350 million price reduction .

Ms. McCord and other officials would not discuss any connection between the charges in the Yahoo case and an ongoing investigation into Russia’s meddling in the November election and a large-scale hack at the Democratic National Committee . Some investigators believe that the F.S.B. orchestrated the D.N.C. hack to help President Trump win the election.

Democrats were quick to link the attacks. Senator Dianne Feinstein of California, the top Democrat on the Intelligence Committee, said that with Russia blamed in the cyberattacks involving both Yahoo and the presidential election, “the United States must take steps not only to bring those responsible to justice but also ensure future attacks are not allowed to occur in the first place.”

The main purpose of the Yahoo hack was to gather political and economic intelligence, officials said. The hackers stole a database of 500 million Yahoo users and other Yahoo software code which they used to falsify cookies, a technique that gave them full access to millions of Yahoo accounts without needing the passwords.

They found accounts of interest by searching non-Yahoo, recovery email addresses that users provided, allowing them to target employees of specific companies or organizations for other attacks. At least 50 Gmail accounts were targeted, as were accounts at financial firms and other technology providers.

Mr. Belan, one of the F.B.I.’s most-wanted cybercriminals, was also making money on the side as part of the scheme, officials said. He used information from the Yahoo accounts to steal credit and gift card numbers, send spam and redirect searches for erectile dysfunction treatments to an online pharmacy that paid for the traffic, according to the indictment.

Vindu Goel reported from San Francisco and Eric Lichtblau from Washington. Nicole Perlroth contributed reporting from Denver, Andrew E. Kramer from Moscow, and Daisuke Wakabayashi from San Francisco.

Follow Vindu Goel on Twitter @vindugoel. Follow Eric Lichtblau @EricLichtblau.

Russia-linked hacker gets 5 years in Yahoo security breach

Prosecutors called the 23-year-old an "international hacker-for-hire."

A hacker who worked for a Russian spy agency was sentenced Tuesday to five years in prison for using data stolen in a massive Yahoo data breach to gain access to private emails.

Karim Baratov, 23, also agreed to pay restitution to his victims and a fine of up to $2.25 million, the Department of Justice said in a statement. Baratov  pleaded guilty  in November to aggravated identity theft and conspiring to commit computer fraud and abuse.

Working with agents from the Russian intelligence agency called FSB, Baratov hacked into email accounts hosted by Google and Yandex. The same agents were also allegedly responsible for the 2014 hack of Yahoo that compromised 500 million user accounts.

Prosecutors called Baratov, a Canadian national, an " international hacker-for-hire " who hacked without discussion or hesitation for Dmitry Dokuchaev, an officer for the FSB.

"The sentence imposed reflects the seriousness of hacking for hire," said Acting U.S. Attorney Alex Tse. "Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them."

Baratov was accused of sending phishing emails to specific email accounts, tricking users into handing over their usernames and passwords, and then sending the login information to Russian agents. 

A two-year investigation by the FBI's San Francisco branch found evidence Russian spies helped to break into Yahoo to steal information from US government officials, Russian dissidents and journalists. The Yahoo breach is the largest hacking case ever handled by the US government.

Other victims of the hacks included employees of a Russian cybersecurity company, a Russian investment banking firm, a French transportation company, US financial firms, a Swiss bitcoin wallet and a US airline. Investigators said the spies also hacked their victims' spouses and children's emails to dig up extra dirt.

First published May 29, 3:36 p.m. PT. Update, 4:59 p.m. : Adds comments from DOJ, additional details. 

Security : Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded : CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.

Why did Yahoo take so long to disclose its massive security breach?

Assistant Professor of Computer Science and Electrical Engineering, West Virginia University

Disclosure statement

Yanfang Ye does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

West Virginia University provides funding as a member of The Conversation US.

View all partners

In late September, Yahoo announced that at least 500 million user accounts had been compromised . The data stolen included users’ names, email addresses, telephone numbers, dates of birth and encrypted passwords, but not credit card data. Large data breaches have become increasingly common: Just in 2016 we have found out about Yahoo’s breach as well as the LinkedIn hack (compromising 167 million accounts) and the MySpace breach (360 million accounts).

The Yahoo breach affected more users than the other two, but all of them share a crucial element: They were announced to the public years after the fact . The LinkedIn hack happened in 2012 , MySpace was breached in 2013 and Yahoo was hacked in 2014. Not until 2016 did users of the three sites found out their information had been stolen.

When personal information is stolen, rapid response is important. Customers need to change their passwords, and take other steps to protect their identity, including securing bank accounts and credit records. If people don’t know a breach has occurred and that they need to take these protective steps, they remain vulnerable.

So why does it take such a long time for companies to disclose that they have been hacked? It’s not as simple as you might think – or hope.

Time is a key factor

It’s not yet clear when Yahoo learned about its attack, though in this case the timing is questionable. A news article published on August 1 quoted a company spokesperson saying Yahoo was “aware” a hacker was selling login details for 200 million Yahoo accounts in an online black market.

But more than a month later, the company filed a document with U.S. financial regulators saying it didn’t know of any claims of “unauthorized access” that might have an effect on its pending sale to Verizon . And Verizon said publicly that it had heard about the breach only two days before Yahoo announced it to the world.

All those events, of course, were years after the breach had actually happened. This is an uncommonly long delay. According to a recent report from network security firm FireEye, in 2015 the median amount of time an organization’s network was compromised before the breach was discovered was 146 days.

That includes all sizes of companies in all types of business. As a major internet company with an extremely large user base, it’s reasonable to expect Yahoo might detect – and disclose – breaches much sooner than other firms.

Detecting, and confirming, the hack

The company has said it believes the attack was conducted by a national government, though it hasn’t said from what country. That may suggest the attack was more sophisticated, and therefore harder to detect – but it’s impossible to know if that’s true , because the company has declined to offer details of how the breach was achieved.

In addition, anyone on the internet can claim anything they want – companies have to investigate their systems to find out whether someone who is advertising they have login information for sale actually took anything, or is just making it up to cause trouble.

Nontechnical reasons that Yahoo took so long to discover the hack could include frequent changes in leadership of its security team and the companywide stress of finding a buyer.

Notifying the public

Once a company has learned it has been hacked, it’s important to tell customers – and the public – so that people can take proper measures to protect their information, privacy and identities.

At present there is no federal law regarding when companies must tell the public about information security breaches. In 2015, Democrats proposed giving firms 30 days from discovering a hack to announcing it had happened. That effort failed because many states, which have varying requirements, have stricter standards that the federal law would have overruled.

Recovering a corporate reputation

Tech companies can typically recover quickly from data breaches – if they respond fast and take the necessary steps to notify their users. That’s true even for corporations whose data breaches resulted in the compromise of customers’ credit card information, such as Target in 2013 and Home Depot in 2014 .

Lawsuits filed after the breaches have cost companies millions in settlement costs, not to mention legal fees and lost business. The lesson is clear: Early disclosure of a data breach is better. If Yahoo knew about its hack as early as August – or even years ago – and took this long to announce it to the public, the company has manifestly betrayed its users’ trust.

Though Yahoo urged users to change their passwords and security questions after the public disclosure of the security breach, thousands of users took to social media to express anger that it had taken the company two years to uncover the data breach. The lawsuits filed against Yahoo are mounting.

It can be extremely difficult for companies, even tech-focused ones like Yahoo, to protect themselves from skilled and determined hackers. But not reporting the attack as soon as it’s suspected can be almost as damaging as the hack itself.

• Cybersecurity
• Consumer protection

Case Management Specialist

Lecturer / Senior Lecturer - Marketing

Assistant Editor - 1 year cadetship

Executive Dean, Faculty of Health

Lecturer/Senior Lecturer, Earth System Science (School of Science)

• Skip to main content
• Keyboard shortcuts for audio player

The Two-Way

Every yahoo account that existed in mid-2013 was likely hacked.

Alina Selyukh

A new disclosure from Yahoo — now known as Oath after it was bought by telecom company Verizon — dramatically escalates the size of the 2013 hack revealed last year. Marcio Jose Sanchez/AP hide caption

A new disclosure from Yahoo — now known as Oath after it was bought by telecom company Verizon — dramatically escalates the size of the 2013 hack revealed last year.

Every user who had a Yahoo account in August 2013 was likely affected by its massive hack, the company's parent, Verizon, said Tuesday.

This latest disclosure triples the number of accounts compromised by the major 2013 data breach that the company disclosed late last year . At the time, Yahoo said hackers had stolen data associated with 1 billion user accounts; the new disclosure escalates that number to 3 billion.

Despite news of the hack's much-broader scope, the company says the steps needed to protect all of its users were already taken last year, when the hack was first discovered.

As originally announced , hackers in the 2013 breach stole account information such as names, email addresses, phone numbers, birth dates as well as hashed passwords and security questions and answers. Yahoo, now known as Oath, says in late 2016 it forced password changes for all accounts that haven't done so since 2013 and invalidated old security questions and answers.

Credit card and bank account data was not taken in the breach, according to the company's investigation.

Yahoo learned that the already-vast breach had ballooned thanks to new intelligence "obtained" recently, after Verizon closed its deal to buy Yahoo. Verizon has folded together the tech giant and previously purchased AOL under the umbrella brand Oath.

Oath spokesman Charles Stewart did not elaborate on how the information was obtained, but said the new intelligence led to a new investigation by the company's security team, completed less than a week ago.

The security industry's favorite adage is that there are two types of companies: those that have been hacked and those that don't know they have been hacked. Among those that know, Yahoo stands out.

Over the course of 2016, Yahoo set and then beat its own record for the largest-ever disclosed data breach. Last September, Yahoo reported an incident affecting 500 million accounts that took place in 2014. Then, in December, came the disclosure of the 2013 hack, which was presented as "likely distinct."

The 2014 hack was believed to be state-sponsored and later led to a trial of a Canadian hacker and charges against Russian government agents — a relatively rare development for crimes of such caliber. But many questions remain about the 2013 hack and its perpetrators; in fact, the company has been unable to identify the intrusion.

An internal investigation by Yahoo's board in March found that the company's information security team, senior executives and some legal staff were aware of a state-sponsored hack in 2014, according to a regulatory filing , that adds:

"It appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team. ... However, the Independent Committee did not conclude that there was an intentional suppression of relevant information. "Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it."

Yahoo's then-top lawyer resigned without severance pay as a result, and then-CEO Marissa Mayer lost her 2016 bonus. She later left the company as Yahoo was bought by Verizon.

• cybersecurity
• data breach
• cybersecurity breach

• Work & Careers
• Life & Arts

Become an FT subscriber

Try unlimited access Only $1 for 4 weeks

Then $75 per month. Complete digital access to quality FT journalism on any device. Cancel anytime during your trial.

• Global news & analysis
• Expert opinion
• Special features
• FirstFT newsletter
• Videos & Podcasts
• Android & iOS app
• FT Edit app
• 10 gift articles per month

Explore more offers.

Standard digital.

• FT Digital Edition

Premium Digital

Print + premium digital, ft professional, weekend print + standard digital, weekend print + premium digital.

Essential digital access to quality FT journalism on any device. Pay a year upfront and save 20%.

• Global news & analysis
• Exclusive FT analysis
• FT App on Android & iOS
• FirstFT: the day's biggest stories
• 20+ curated newsletters
• Follow topics & set alerts with myFT
• FT Videos & Podcasts
• 20 monthly gift articles to share
• Lex: FT's flagship investment column
• 15+ Premium newsletters by leading experts
• FT Digital Edition: our digitised print edition
• Weekday Print Edition
• Videos & Podcasts
• Premium newsletters
• 10 additional gift articles per month
• FT Weekend Print delivery
• Everything in Standard Digital
• Everything in Premium Digital

Complete digital access to quality FT journalism with expert analysis from industry leaders. Pay a year upfront and save 20%.

• 10 monthly gift articles to share
• Everything in Print
• Make and share highlights
• FT Workspace
• Markets data widget
• Subscription Manager
• Workflow integrations
• Occasional readers go free
• Volume discount

Terms & Conditions apply

Explore our full range of subscriptions.

Why the ft.

See why over a million readers pay to read the Financial Times.

International Edition

Yahoo says all three billion accounts hacked in 2013 data theft

• Medium Text

Reporting by Munsif Vengattil, Jim Finkle, Jim Christie, Jon Stempel, and David Shepardson; writing by Stephen Nellis in San Francisco; Editing by Andrew Hay and Lisa Shumaker

Our Standards: The Thomson Reuters Trust Principles. New Tab , opens new tab

Technology Chevron

Venture capital investment in crypto picks up after long decline.

Global venture capital investment in crypto companies rose to $2.4 billion in the first three months of 2024, data showed on Monday, in a tentative sign that investor interest is returning.

Paris-based quantum computer startup company Pasqal announced it had signed a partnership with Saudi Arabia's state oil giant Aramco to install the first quantum computer in the country.

Britain’s artificial intelligence (AI) safety institute will open an office in the United States, hoping to foster greater international collaboration on the regulation of a fast-moving technology.

• Today's news
• Reviews and deals
• Climate change
• 2024 election
• Fall allergies
• Health news
• Mental health
• Sexual health
• Family health
• So mini ways
• Unapologetically
• Buying guides

Entertainment

• How to Watch
• My watchlist
• Stock market
• Biden economy
• Personal finance
• Stocks: most active
• Stocks: gainers
• Stocks: losers
• Trending tickers
• World indices
• US Treasury bonds
• Top mutual funds
• Highest open interest
• Highest implied volatility
• Currency converter
• Basic materials
• Communication services
• Consumer cyclical
• Consumer defensive
• Financial services
• Industrials
• Real estate
• Mutual funds
• Credit cards
• Balance transfer cards
• Cash back cards
• Rewards cards
• Travel cards
• Online checking
• High-yield savings
• Money market
• Home equity loan
• Personal loans
• Student loans
• Options pit
• Fantasy football
• Pro Pick 'Em
• College Pick 'Em
• Fantasy baseball
• Fantasy hockey
• Fantasy basketball
• Download the app
• Daily fantasy
• Scores and schedules
• GameChannel
• World Baseball Classic
• Premier League
• CONCACAF League
• Champions League
• Motorsports
• Horse racing
• Newsletters

New on Yahoo

• Privacy Dashboard

The Chipotle Ordering Hack That Could Get You Way Bigger Portions

Fans of Chipotle are always looking for ways to maximize their meals. Take the Chipotle ordering hack that results in more protein , which is perfect for ultra-hungry diners. Another ingenious hack making the rounds on TikTok suggests ordering extra sides to score a massive amount of food for under $10, according to the creator of the video. In the clip, the TikToker presents a giant container brimming with meat, veggies, rice, and other goodies, claiming it equals "four meals."

It's a fact of life that some restaurant hacks aren't all they're cracked up to be (such as certain fast food secret menu items you can probably skip ). Accordingly, it's natural to be a bit skeptical of this hack, especially when you see just how much food it supposedly results in. To verify whether the hack works, Daily Meal reached out to Chipotle and asked whether restaurants typically charged for extra sides. According to the representative, individual locations get to decide how to handle costs related to extra sides. And in some cases, customers are not charged for any added sides that fit into the bowl.

Read more: The Ultimate Ranking Of American Fast Food Restaurants

When Customers Might Be Charged For Extras At Chipotle

As you might expect, viewers of the TikTok clip detailing Chipotle's ordering hack expressed a bit of doubt. As stated by a commenter, "Once I asked for extra lettuce and I got legit [three] strands." Another person said, "I'll say extra rice, beans, etc and they BARELY give you more." However, the original poster remained steadfast in their claim that their hack was the real deal, stating, "I always order through the chipotle lane and get mounds of food!"

With any type of fast food hack, customers must remember that different locations have different rules, and these rules will impact the total cost of your meal. As stated by the Chipotle representative contacted by Daily Meal, certain locations begin charging for sides if you get three or more. In this case, charges can range from 30 cents to $1.15 depending on the restaurant. Other locations might charge for additions if you request an extra cup of a topping that's already included in the bowl.

Putting The Extra Sides Hack Into Action

In addition to speaking with Chipotle, Daily Meal also tested out the TikTok -endorsed hack on the app. When ordering the chicken bowl via the app, customers are allowed a maximum of three sides per order. However, you're free to order as many extra toppings as you'd like without incurring an additional charge (provided the toppings don't naturally involve an added charge, such as queso or guacamole). Upon checkout, the price of the order remained the same as the original chicken bowl without all the embellishments.

Keep in mind that your experiences may differ based on the policies of your preferred Chipotle. You may also experience differences when ordering online versus ordering in store, which is a factor with the Chipotle burrito hack that's a little too good to be true . If you're a Chipotle regular and want to get freebies, consider joining the chain's points-based rewards program. That way, you can rest assured of savings if your local Chipotle is not as generous with its extra sides.

Read the original article on Daily Meal

Recommended Stories

Chipotle cfo says diners will keep burritos in their budget as us gdp growth slows.

Chipotle is seeing all income cohorts spend more and visit more frequently.

Chipotle blows by earnings estimates as resilient foot traffic, margin expansion boost Q1 results

Chipotle posted another strong quarter against a difficult macro backdrop.

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

Founder-market fit is one of the most crucial factors in a startup's success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage in finding that fit. Data shows that a lack of expertise and business acumen in founders contributes to failed VC investments. The same principle applies somewhat to operator VCs (firms typically launched by former startup founders).

Longtime Oakland Raiders center, Hall of Famer Jim Otto dies at 86

Jim Otto appeared in 210 straight games for the Raiders and was one of just three players who appeared in every single regular season AFL game throughout his career.

Denver Nuggets 2024 NBA offseason preview: Expect the former champs to run it back

The Nuggets have the best player in basketball in Nikola Jokić, and he should have at least another 5-6 years left of MVP-caliber play.

Pacers' Tyrese Haliburton gets last word after defeating Knicks with Reggie Miller hoodie

Indiana Pacers star Tyrese Haliburton took one last dig at the New York Knicks with a sweatshirt sporting an infamous Reggie Miller photo.

NASCAR: Joey Logano leads 199 of 200 laps to win All-Star Race

Logano started on the pole and never got passed under green.

Iran's president was in a helicopter crash: Here's what we know — and what we don't

Iran's president was involved in a helicopter crash. Here's what we know — and what we don't so far.

Why companies are turning to internal hackathons

One way to do that is by running an internal hackathon around a theme and having employees attack a problem together. Brandon Kessler, CEO and co-founder at DevPost, a company that helps customers organize and manage internal and external hackathons, says that he’s seen how hackathons help companies encourage their employees to solve big problems. “Without question, innovation and collaboration are the two key value props when it comes to running internal hackathons, and almost everyone wants both,” Kessler told TechCrunch.

I’m rooting for Melinda French Gates to fix tech's broken ‘brilliant jerk’ culture

On Monday, Melinda French Gates resigned from the philanthropy organization she ran with ex-husband Bill Gates. French Gates will leave next month with an additional $12.5 billion, she said. The Gates Foundation famously works on projects to help impoverished people, especially in developing countries, such as fighting malaria, polio or improving sanitation.

• Search Please fill out this field.
• Manage Your Subscription
• Give a Gift Subscription
• Newsletters
• Sweepstakes
• Entertainment

What Happened to Ashley Madison? The True Story of the Dating Site's Infamous 2015 Hack — and How It Bounced Back

In 2015, the identities of the 37 million users of infidelity website Ashley Madison were hacked and revealed online

Courtesy of Netflix

The infamous 2015 hack of the dating website Ashley Madison led to multiple headline-making scandals — and now, a new Netflix documentary is revisiting the data leak and its aftermath.

Ashley Madison rose to fame in the early 2000s as the first — and only — dating website for married people seeking affairs. The website drew criticism for its promiscuous premise, but the naysayers had little to no effect on Ashley Madison’s success. By 2015, the infidelity site had nearly 40 million users worldwide and was projected to earn $150 million in revenues, Ashley Madison's then-CEO Noel Biderman told Business Insider at the time.

“The vision was to be the largest and only website for married people who wanted to have an affair,” an employee said in the trailer for Netflix’s docuseries Ashley Madison: Sex, Lies & Scandal , which began streaming on May 15.

Ashley Madison was well on its way to realizing that vision when it all came crashing down in July 2015. Internet hackers stole the customer data for all 37 million of Ashley Madison’s users — and posted it online in August 2015. The data leak and its fallout led to the resignation of Ashley Madison’s CEO and the public humiliation of its users.

Adding to the drama was the fact that multiple high-profile figures were named in the Ashley Madison hacking scandal, including Josh Duggar , Hunter Biden (although he denies that he had an account), former Real Housewives of New York City husband Josh Taekman and Snooki ’s husband Jionni Lavalle (Snooki has fiercely denied Lavalle had used the site). But Netflix’s three-part docuseries takes a closer look at the everyday people who signed up for the cheating website — and how the data leak affected their relationships and their lives.

“Rather than berating people who joined Ashley Madison we were much more interested in exploring why they were drawn to the site — what were they looking for? What was going on in their relationships? And crucially — what was their partner’s side of the story?” Toby Paton, the series director, wrote in a statement, per Variety .

But what is the true story of Ashley Madison and its 2015 hack? Here’s everything to know about the infamous dating website’s rise, fall and rebirth.

What is Ashley Madison?

Ashley Madison is an online dating service that was originally targeted towards people looking to have an affair — either with married individuals or singles.

The site was founded in 2001 by Toronto native Noel Biderman, a former attorney, sports agent and “self-described happily married father of two,” according to a 2009 profile in the Los Angeles Times . Biderman is also behind the website’s name — a combination of the two most popular baby names for girls in 2001 — and its infamous slogan: “Life is short. Have an affair.”

The premise of Ashley Madison was quick to ruffle feathers, with critics claiming it was promoting promiscuity and profiting off of marital strife.

“This is a business built on the back of broken hearts, ruined marriages and damaged families,” Trish McDermott, a dating-industry consultant who helped found Match.com and Engage.com, told TIME in 2009. “It’s in the business of rebranding infidelity.”

But Biderman was a staunch defender of Ashley Madison, even claiming that the company “preserves more marriages than we break up,” according to the Los Angeles Times .

“Infidelity has been around a lot longer than Ashley Madison,” Biderman told the outlet. “Given that affairs are going to happen no matter what, maybe we should see Ashley Madison as a safe alternative.”

Though the company's morals could be debated, its success could not: By 2015, the site boasted nearly 40 million users and was projected to top $150 million in revenue, Business Insider reported. Ashley Madison was even considering a $200 million IPO on the London stock exchange in the spring of 2015, according to Fortune .

What happened to Ashley Madison during the data breach?

Steve Meddle/Shutterstock

In July 2015, a group of anonymous internet sleuths called The Impact Team hacked Ashley Madison’s website — stealing user account data for its 37 million users and threatening to post it online.

The data stolen included users’ login details, email addresses, payment transaction history and passwords. The Impact Team threatened to release all customer records (including sexual fantasies, credit card information and real names and addresses) online unless Avid Life Media — Ashley Madison’s parent company — shut down all of its websites, per Business Insider.

At the time of the initial breach, The Impact Team revealed their motivation for the cyber attack. According to the hackers, Ashley Madison charged users $19 for a full delete of their profile (reportedly earning the company $1.7 million in profit in 2014) — but didn’t actually follow through with the requests.

“You promised secrecy but didn’t deliver,” the hackers stated, according to Business Insider. “We've got the complete set of profiles in our DB dumps, and we'll release them soon if Ashley Madison stays online ... A significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

That “very bad day” came in August 2015, when the hackers made good on their threat and released the customer data for all 37 million of Ashley Madison’s users.

“This event is not an act of hacktivism, it is an act of criminality,” Avid Life Media said in a statement following the data release, per Wired . “It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities ... We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

Following the data breach, a $576 million class action lawsuit accusing the company of negligence, invasion of privacy and emotional distress was filed in California. Ashley Madison's parent company settled for $11.2 million in 2017.

Who was exposed in the 2015 hack of Ashley Madison?

D Dipasupil/Getty ; Johnny Nunez/WireImage

Several high-profile figures were exposed when hackers posted the customer data for all of Ashley Madison’s 37 million users.

Josh Duggar , Real Housewives of New York City husband Josh Taekman , YouTube’s Sam Rader , Snooki’s husband Jionni LaValle and Hunter Biden were all named in the Ashley Madison leak. However, Ashley Madison does not verify users’ emails — so an account could be set up with someone’s name and email without their knowledge.

At the time, Snooki denied that her husband had an Ashley Madison account, writing on Instagram that it “couldn’t be any further from the truth.” Biden also vehemently denied having an account on the infidelity website, saying the email linked was one that he no longer used after being hacked.

“I am certain that the account in question is not mine,” Hunter said in a statement at the time. “This account was clearly set up by someone else without my knowledge and I first learned about the account in question from the media.”

Duggar, Taekman and Rader, however, all issued apologies for their involvement with the website.

Rader, from the YouTube channel Sam and Nia, admitted to making an Ashley Madison account two years prior. He also stated that his wife had forgiven him for the “mistake.”

Taekman, the husband of former RHONY star Kristen Taekman, provided a statement to PEOPLE, apologizing to his wife and children for “any embarrassment or pain” he may have caused.

“ I signed up for the site foolishly and ignorantly with a group of friends and I deeply apologize for any embarrassment or pain I have brought to my wife and family,” Taekman said. “We both look forward to moving past this and getting on with our lives.”

Duggar , at the time, was already under fire for allegedly molesting five underage girls (including two of his sisters) as a teenager. After news broke of his Ashley Madison account, he admitted to being unfaithful to his wife Anna and issued an apology on his family’s website.

“While espousing faith and family values, I have been unfaithful to my wife,” the statement read. “I am so ashamed of the double life that I have been living and am grieved for the hurt, pain and disgrace my sin has caused my wife and family, and most of all Jesus and all those who profess faith in Him.”

In addition to exposing high-profile users, the Ashley Madison leak may have been linked to at least two suicides, Toronto police claimed in August 2015. A month later, a New Orleans pastor also committed suicide after allegedly having his name exposed in the data breach.

What happened to Ashley Madison CEO Noel Biderman?

Jane Mingay/Shutterstock

In addition to the identities of Ashley Madison’s 37 million users being revealed, Biderman himself was also exposed in the 2015 hacking scandal.

Though Biderman had repeatedly told the media he had never been unfaithful to his wife Amanda, hackers leaked hundreds of the CEO’s emails that claimed otherwise. The emails suggested that Biderman had had multiple affairs, including one with a Toronto-based escort that lasted several years, Buzzfeed reported.

In the wake of the hacking, Biderman stepped down from his role as CEO of Avid Life Media, Ashley Madison’s parent company. Avid Life Media stated at the time that his resignation was “in the best interest of the company.”

Does Ashley Madison still exist?

Chris So/Toronto Star/Getty

Though the 2015 hacking threatened Ashley Madison’s existence, the website has continued to thrive in the near-decade since.

In 2016, Avid Life Media rebranded as Ruby Corp. and hired Rob Segal and James Millership as its CEO and president, respectively. The pair worked on revamping the beleaguered Ashley Madison site — which involved gaining back their clients’ trust and winning over new customers.

Segal and Millership increased the site’s cybersecurity — hiring Deloitte, instituting annual audits and removing all of the fake female bots from the website, Business Insider reported. The duo also ditched Ashley Madison’s infamous tagline “Life is short. Have an affair,” and instead replaced it with “Find your moment,” according to a Ruby Corp. press release .

“It was a limiting label that's out-dated and doesn't speak to the wide variety of connections people find on Ashley Madison,” Segal said in the press release. “While remaining true to our roots, Ashley Madison needs to evolve, grow and attune to modern sexuality in 2016.”

The rebrand attempted to shake Ashley Madison’s reputation as a website for those seeking affairs — but the company appears to have returned to its adulterous roots. Its website currently features the original logo (a woman wearing a wedding ring doing the “hush” symbol) and motto of “Life is Short. Have an affair.”

It is also as popular as ever: According to the site, it boasts 80 million users (more than double the amount at the time of the 2015 hacking).

If you or someone you know is considering suicide, please contact the 988 Suicide and Crisis Lifeline by dialing 988, text "STRENGTH" to the Crisis Text Line at 741741 or go to 988lifeline.org .

BuzzFeed Staff

This article is not a  replacement for seeing a medical professional.  Gut issues are specific to each individual and could also indicate that there might be more underlying issues at hand.

If you scroll on TikTok or Instagram, you'll probably find multiple "constipation hacks" that claim to relieve bowel issues.

For example, a reel reposted in december 2023 by recipe developer bethany, aka @lilsipper , who posts low-sugar recipes for people with ibs, claimed you just need three ingredients to help with constipation: an orange, cinnamon, and cayenne pepper..

According to the video , this constipation hack will work in five minutes. "Every time I share this, I get messages thanking me," Bethany said. "It works about 95% of the time. So, if you need a little push, try this constipation hack and wait five minutes. If you've tried this before, let me know how it went. We're all human, and we do the same thing — but sometimes, we need Mother Nature to literally help us along. It's cheap, effective, and works fast."

While the Reel may have accumulated close to 500,00 likes and 44 million views, it seems people have either stated that they would rather use a different laxative method or simply be careful before trying this hack.

For instance, one person said they better go to the bathroom asap if they have to eat the peel of an orange..

Another person said they actually tried the hack a while ago when Bethany posted the video the first time around, and it did not work.

Bethany even replied, asking if this person "used a navel Orange? And eat the peel?" Their response? "Yes, and yes."

However, while most of the comments were lighthearted in nature, a few people claimed that something dangerous had occurred because of this hack. According to a few commentators, one or more people allegedly went to the hospital for a burned esophagus after trying this "health hack."

While we don't know the exact timeline of when and if these events coincide, it seems people have come across a TikTok video of a woman, posted at the beginning of April, who claims she went to the hospital after listening to a health and wellness influencer.

According to the video , about six years ago, she began following a well-known health and wellness influencer who created holistic recipes and was in the process of healing her body from a chronic illness. since the follower was also trying to heal from a chronic illness, she said that she started to lean into the influencer's content..

"It was one day when I stumbled upon one of her videos, talking about how you could help your digestion by coating an orange with cinnamon and cayenne pepper and eating it, peel and all. It was not pleasant going down," she said. "I thought I was doing the right thing for my body, and it would thank me later. Wrong."

"I ended up so sick, I had to go to the hospital. And when the doctor asked if I had eaten anything in the last 24 hours, I let him know that I coated an orange in cinnamon and cayenne, peel and all, and ingested it," she said. "He looked at me and said, 'Why would you do that?' And you know what my answer was? I saw someone do it online. As soon as it came out of my mouth, I was like, 'I deserve this.' He said, 'Well, now you might've burned your esophagus.'"

Across the video, the person wrote, "I suffered for months."

She continued, saying that she had to see a specialist and get an endoscopy, which confirmed she had burned her esophagus. She also explained that this event occurred years ago, but she recently saw the influencer repost the video within the last year. "This makes me upset because there are now hundreds of [millions] of people, looking to her for information... I'm not saying that the holistic route is not the way to go for most cases — that is the route that I go in most of my life. But it's not one size fits all. Everyone has different bodies, everyone has different health histories, and everyone has different genetics, and it's dangerous to recommend something for someone and say, 'This is the cure to your digestion issue' — but it's even more dangerous to believe everything you see."

She continued: "So while I do believe it's an influencer's and a content creator's responsibility to be mindful, I think we have even more responsibility to discern and to take everything we see with a grain of salt. That is the last time I will listen to a health and wellness influencer."

Since this person posted their video, it garnered over two million views, with dozens of other people stitching her video with their own painful experiences of either trying other health and wellness influencers' tips or how other medical professionals have given incorrect medical advice over social media.

Dr. will bulsiewicz , gastroenterologist, bestselling author, and u.s. medical director of zoe , said it makes sense why a lot of people are having similar negative experiences with this kind of health and wellness content. "there's an overwhelming amount of information out there, the algorithm is a black box that’s feeding us content based upon the biases it has identified in us, and everyone seems to be an expert," he told buzzfeed. "all these things make it more difficult than ever to separate fact from fiction.".

But even though the algorithm is feeding us this information, it doesn't mean the content being pushed onto us is filtered through a reputable lens. That's why Dr. Bulsiewicz suggests that people be "conscious consumers of information." "Rather than accepting what’s presented to us, even if it’s exciting or tells us what we want to be true, we should first ask ourselves whether we have a reputable source for the information," he said.

But how does one discern if the source is reputable or not dr. bulsiewicz provided a list of questions you can ask yourself before accepting any advice from the internet..

1. What qualifications does this person have that makes them an expert in the field? Our most basic question.

2. Are they in line with scientific consensus, or are they a lone wolf claiming that “all the scientists got this wrong, and I got it right?" Beware the lone wolf who claims to know things that no one else has thought of.

3. What science can they provide to support their claims? You’d be shocked how often there is no answer to this simple question.

4. What type of science do they provide?  We prefer human studies with high-quality evidence, such as systematic reviews and meta-analyses, randomized controlled trials, or large population studies. Beware the person who always cites test tube studies, animal studies, or anecdotes and ignores the higher quality human studies that refute their point.

5. Do they consistently reach the same conclusion, even when they are presented with research that would suggest otherwise? Sounds like an agenda if all roads lead to the same result.

6. Have they taken a position that’s anti-science – claiming that research and scientists shouldn’t be trusted? This is a way to discredit experts and science that defies their agenda.

Also, just because a health influencer's advice goes viral, like the one above, doesn't mean it's backed by science. "Things are more likely to go viral because they’re unexpected and different, which makes them exciting. But there’s a reason why they’re unexpected and different—because they’re unproven," he said.

For instance, there's no human research to support the orange constipation hack   actually works , said to Dr. Bulsiewicz. "The limited evidence that we have comes from laboratory animals," he added. "Obviously, humans are a bit more complicated and laboratory research often does not translate to humans, so we have to be careful with it. We simply don’t know whether this works or what the potential risks or side effects may be."

This is why it's even more important for health and wellness influencers to be incredibly selective about the kind of content they choose to create and post on the internet. "Outside of influencers and the internet, this is the reason we have governing bodies, formal certifications, rules, and regulations in order to be a health practitioner. You can't just claim to be a [medical professional]," he said. "You have to get a medical license, which includes verification of qualifications, training, test completion, history of misconduct or discipline, and a background check. This typically takes many months to complete, and as a licensed physician, your conduct can be reviewed. Not to mention, there is obviously the possibility of malpractice lawsuits."

"But on the internet, anyone can say literally anything, and there's no one to stop them," he added. "It seems like the internet needs to be held to the same standards that we expect from our healthcare professionals in our community. It seems that it would be best to have some form of health and wellness licensure and oversight — but clearly, that's not where we are. I don't think it's enough to simply say, 'Influencers should do their best to share good information.' What if they are doing their best, but they're just not adequately qualified to be sharing?"

So what can be some of the side effects and risks of the orange constipation hack? Dr. Bulsiewicz provided a list below:

1. "If a person is constipated, aggressively forcing motility can result in sharp, often severe abdominal pain," he said. "It generally comes in waves that build until you get temporary relief before a wave comes again, which reflects the waves of colon motility passing through. This would be particularly harmful if someone is impacted with stool (which occurs more often than you’d think) or in a person who has a blockage of their intestines, such as can happen with Crohn’s disease."

2. "While long-term use of cayenne pepper can actually help irritable bowel syndrome, in the short term, it can make things worse and instigate gut pain," he said.

3. "Lastly, oranges are often sprayed with pesticides or other chemicals that accumulate on the surface of the orange peel," he said. "The peel is usually removed, but in this case, it is being consumed, and that could potentially lead to ingestion of toxic substances that could negatively harm the gut microbiome."

While the above factors can impact the gut, Dr. Bulsiewicz said excessive ingestion of cayenne pepper was most likely the cause of the follower's burned esophagus. "Certainly, we don’t know the state of this person’s intestines prior to ingesting the cayenne-drenched oranges, but if she had any sort of injury to the surface layer of her intestines – which could be the result of acid reflux, an ulcer, or gastritis – then it would make complete and total sense that cayenne would cause severe pain on ingestion," he said.

"Admittedly, cayenne pepper, when consumed routinely in the appropriate amount, can be quite healthy for most people. That said, it’s easily possible to consume an excessive amount of it and cause bodily injury," he said. "That’s one of the issues that exists around the advice that was given is that there really aren’t boundaries defined for safety."

Since our expert doesn't know if the hack will work or not, there are other ways to help relieve constipation, according to Dr. Bulsiewicz.

"Two options immediately come to mind as a gastroenterologist: kiwifruit and magnesium. Kiwifruit is delicious and a great source of fiber that bulks up our stool, absorbs water, and helps with laxation. This was actually proven in an international clinical trial where participants ate two peeled kiwis per day, which improved their constipation and pain, as well as indigestion. There were no serious adverse events by eating kiwi," he said.

"Magnesium oxide has been similarly proven. In a human clinical trial , 1.5 grams of magnesium oxide daily improved the frequency of bowel movements and quality of life with no severe adverse events," he explained. "With magnesium, it is best to discuss this with your doctor prior to proceeding, and it’s possible to have your magnesium levels checked before and after initiating the supplement to verify that you’re in the normal range."

It's important to keep in mind that inadequate fiber consumption is a main cause of constipation, and 95% of Americans are deficient in fiber , Dr. Bulsiewicz said. "The recommended amount of fiber in our diet is 25 grams per day for women and 38 grams per day for men yet the average consumption is around 15 grams per day for women and 18 grams per day for men."

That's why if you're experiencing chronic constipation, it's essential to check with your doctor first before trying any hacks you find on the internet. "you want to understand why the change in bowel habits has occurred and to ensure there’s nothing more serious going on," he said. "the treatment of chronic constipation is highly nuanced, with a number of over-the-counter, supplement, and prescription-strength medications as well as alternative constipation treatments such as pelvic therapy.".

According to Dr. Bulsiewicz, the bottom line is that if we addressed our fiber deficiency, we’d be a nation of "super poopers" instead of dealing with so much constipation.

"It’s important to understand that we have tons of options for treatment of constipation that are proven by human studies — they’re effective, they’re low risk, and we don’t need to guess," he said. "So, while the unexpected and different idea may be exciting on the surface when it comes to our health, we’re better off going with the tried and true option."

Have you experienced any issues with trying a health and wellness influencer's tip or hack? Tell us what happened in the comments below.

Cameron did not respond to a request for comment.

Share This Article

• Skip to Navigation
• Skip to Main Content
• Skip to Related Content
• Today's news
• Reviews and deals
• Climate change
• 2024 election
• Fall allergies
• Health news
• Mental health
• Sexual health
• Family health
• So mini ways
• Unapologetically
• Buying guides

Entertainment

• How to Watch
• My watchlist
• Stock market
• Biden economy
• Personal finance
• Stocks: most active
• Stocks: gainers
• Stocks: losers
• Trending tickers
• World indices
• US Treasury bonds
• Top mutual funds
• Highest open interest
• Highest implied volatility
• Currency converter
• Basic materials
• Communication services
• Consumer cyclical
• Consumer defensive
• Financial services
• Industrials
• Real estate
• Mutual funds
• Credit cards
• Credit card rates
• Balance transfer credit cards
• Business credit cards
• Cash back credit cards
• Rewards credit cards
• Travel credit cards
• Checking accounts
• Online checking accounts
• High-yield savings accounts
• Money market accounts
• Personal loans
• Student loans
• Car insurance
• Home buying
• Options pit
• Investment ideas
• Research reports
• Fantasy football
• Pro Pick 'Em
• College Pick 'Em
• Fantasy baseball
• Fantasy hockey
• Fantasy basketball
• Download the app
• Daily fantasy
• Scores and schedules
• GameChannel
• World Baseball Classic
• Premier League
• CONCACAF League
• Champions League
• Motorsports
• Horse racing
• Newsletters

New on Yahoo

• Privacy Dashboard
• Follow rounds live
• How To Watch
• Scottie Scheffler Arrest
• Scores/Schedules
• Wemby Watch
• Fantasy Basketball
• In-Season Tournament
• All-Star Game
• Power Rankings
• Fantasy Baseball
• 2024 Schedule
• Scores/Schedule
• Fantasy Football
• Free Agency
• Fantasy Hockey
• UFC Schedule
• How To Watch the 2024 Season
• Yahoo Sports AM
• Leaderboard
• PGA Championship
• Masters Tournament
• Tournament Schedule
• French Open
• Australian Open
• Playoff and Bowl Games
• March Madness
• Caitlin Clark Scoring Record
• College Sports
• Fantasy Sports
• Sports Betting 101
• Bet Calculator
• Legalization Tracker
• Casino Games
• Paris Games Home
• Kentucky Derby
• Preakness Stakes
• Belmont Stakes
• Ball Don't Lie
• Yahoo Fantasy Football Show
• College Football Enquirer
• Baseball Bar-B-Cast
• Wolves rally to dethrone Nuggets
• Schauffele wins PGA Championship
• Pacers win Game 7, Brunson breaks hand
• Logano wins All-Star Race
• 4 straight EPL titles for Man City

Emilia Romagna Grand Prix 2024: How to watch the next F1 race without cable

F1 fans, start your engines. The 2024 season continues this weekend with the Emilia Romagna Grand Prix. The seventh Grand Prix of the 2024 F1 season will take place at Imola this Sunday, at 9 a.m. ET. While Red Bull's Max Verstappen has won four out of the six Grand Prix so far this year, last weekend was a total shakeup to the season when McLaren's Lando Norris took first place for the very first time on the F1 circuit. Will Verstappen be back in top form at Emilia Romagna? You'll have to tune into the track to find out.

Whether you’ve already got some miles on you as a Formula 1 fan, or the Emilia Romagna Grand Prix will be your first time tuning into the action on the track, watching or streaming this wildly popular international sport from the US can be a challenge. If you don’t want to have to race to find the Emilia Romagna Grand Prix on TV, we’ve got you covered. Here’s how to watch the F1 races this weekend.

How to watch the F1 Emilia Romagna Grand Prix:

Stream free f1 coverage.

Date: Sunday, May 19, 2024

Race time: 9 a.m. ET/6 a.m. PT

Location: Autodromo Internazionale Enzo e Dino Ferrari (Imola)

TV channel: ESPN

Streaming: ESPN+

What channel is the F1 Emilia Romagna Grand Prix on?

The Emilia Romagna Grand Prix will air live on ESPN. ESPN is the home of F1 this season with 18 out of 24 races airing on either ESPN or ABC, and the remainder airing on ESPN2. 16 races will stream on ESPN+ in 2024.

For cord-cutters who want to watch F1 racing, including this weekend's grand prix, we recommend a live TV streaming service such as Hulu’s live TV bundle, which includes ABC, ESPN, ESPN2 and ESPN+. If you're looking for a lower-cost subscription, a direct subscription to ESPN+ is an affordable option great for fans of all kinds of sports. If you're only interested in watching F1 racing and don't care about the ability to watch other sports, an F1 TV Pro subscription is a simple way to stream every race, practice and qualifier.

How to watch F1 in the USA without cable:

Hulu + live tv, watch f1 on espn, espn2, abc and espn+.

For watching F1 races (and other sports), Hulu’s live TV tier is a solid option. The streaming service’s live TV bundle will get you access to ABC, ESPN and ESPN2 (make sure to check your zip code to confirm eligibility). Plus, this bundle gets you a subscription to ESPN+ so you can stream F1 races and practices there. You'll also get ad-supported Disney+ and, of course, access to Hulu’s general content library. Hulu’s live TV plans also include unlimited DVR storage, a hardware-free set-up process and easy online cancellation.

Stream the Emilia Romagna Grand Prix

The Emilia Romagna Grand Prix will stream on ESPN+. An ESPN+ subscription grants you access to exclusive ESPN+ content including live events, fantasy sports tools and premium ESPN+ articles. You can stream ESPN+ through an app on your smart TV, phone, tablet, computer and on ESPN.com.

Stream F1 races and practices

An F1 TV Pro subscription lets you stream every F1 race live, plus all the practices, qualifying races and pre-race shows. F1 TV is also home to F1's post-race live shows, analysis, Tech Talks, documentaries and the official F1 archive. You can subscribe to F1 TV Pro for $10.99/month or pay $85 for the entire season.

How to stream F1 for free from the US

Don’t want to deal with racing to find F1 coverage across ESPN platforms every Grand Prix? We’ve got a hack for you. Some residents in Europe are able to watch free F1 live streams of every Grand Prix in 2024 on the free-to-stream platform Servus TV . If you live in America, you can still tune into this free livestream with the help of a VPN.

A VPN (virtual private network) helps protect your data, can mask your IP address and is perhaps most popular for being especially useful in the age of streaming. Whether you’re looking to watch Friends on Netflix (which left the U.S. version of the streamer back in 2019) or tune in to the F1 race this weekend without a cable package, a VPN can help you out. Looking to try a VPN for the first time? This guide breaks down the best VPN options for every kind of user .

ExpressVPN offers “internet without borders,” meaning you can tune into an Austrian livestream this month as opposed to paying for ESPN or ESPN+ for US coverage of F1. All you'll need to do is sign up for ExpressVPN, change your server location and then find the free F1 livestream.

ExpressVPN’s added protection, speed and range of location options make it an excellent choice for first-time VPN users looking to stretch their streaming abilities, plus, it's Endgadget's top pick for the best streaming VPN . New users can save 49% when they sign up for ExpressVPN’s 12-month subscription. Plus, the service offers a 30-day money-back guarantee, in case you're nervous about trying a VPN.

More ways to watch F1 for free this weekend:

Directv choice, watch f1 on abc, espn and espn2, emilia romagna grand prix schedule:.

All times Eastern

Friday, May 17

Practice 1: 7:30 - 8:30 a.m.

Practice 2: 11 a.m. - 12 p.m.

Saturday, May 18

Practice 3: 6:30 - 7:30 a.m.

Qualifying: 10-11 a.m.

Sunday, May 19

Emilia Romagna Grand Prix race: 9 a.m. ( ESPN+ , F1 TV )

Other ways to watch F1 without cable:

Watch f1 on abc, espn, espn2, recommended stories, formula 1: after lando norris' miami win, max verstappen is a smaller favorite than usual ahead of imola.

Verstappen has won four of the first six races in 2024.

Formula 1: Miami Grand Prix won by Lando Norris sets United States viewership record

Over 3 million people watched Norris get the first F1 win of his career.

Formula 1: Lando Norris gets his first win ahead of Max Verstappen at the Miami Grand Prix

Norris hadn't pitted and was leading the Grand Prix when a safety car was deployed for Logan Sargeant and Kevin Magnussen's crash.

Longtime Oakland Raiders center, Hall of Famer Jim Otto dies at 86

Jim Otto appeared in 210 straight games for the Raiders and was one of just three players who appeared in every single regular season AFL game throughout his career.

Denver Nuggets 2024 NBA offseason preview: Expect the former champs to run it back

The Nuggets have the best player in basketball in Nikola Jokić, and he should have at least another 5-6 years left of MVP-caliber play.

NBA playoffs: Timberwolves rally from 20-point deficit to stun Nuggets in Game 7, reach conference finals

For the first time in two decades, the Minnesota Timberwolves are headed to the Western Conference finals.

NASCAR: Joey Logano leads 199 of 200 laps to win All-Star Race

Logano started on the pole and never got passed under green.

New York Knicks 2024 NBA offseason preview: Staying the course should be the focus

This team is built to compete now and could carve out a nice five-year window if it can keep the right players. A Finals run in the near future can't be ruled out.

Scott McLaughlin leads Penske front row sweep for Indianapolis 500; Kyle Larson to start 5th

McLaughlin posted a four-lap average of 234.220 MPH.

Indy 500 qualifying results: Team Penske sweeps front row, NASCAR'S Kyle Larson starts 5th

After positions 13-30 for the 108th Indianapolis 500 were locked in on Saturday, the first 12 and final three slots will be determined Sunday.

NBA playoffs: Pacers blow out Knicks in Game 7 as Jalen Brunson leaves game with fractured hand

One team will go on to the Eastern Conference finals. The other will go home.

PGA Championship: Xander Schauffele drains dramatic birdie on 18 to win first career major

Xander Schauffele hit a six-foot putt on 18 to win the 2024 PGA Championship.

Oklahoma City Thunder 2024 NBA offseason preview: The future looks brilliant, but the improvements are obvious

With the right summer moves and expected health, there's no reason to believe the Thunder couldn't win the whole thing next season.

PGA Championship Round 4 live updates, leaderboard: Xander Schauffele beats out Bryson DeChambeau to win at Valhalla

Thanks to a clutch birdie at the 18th, Xander Schauffele has won his first career major championship.

Indy 500 qualifying: Kyle Larson locks into the field; Rinus Veekay recovers from early crash to get into top 12

Kyle Larson not only qualified for the 1008th running of the Indianapolis 500, he’ll start in one of the first four rows.

NBA playoffs: Luka Dončić leads 17-point Mavericks comeback to finish off Thunder

The Mavericks will face the Nuggets or Timberwolves for a trip to the NBA Finals.

Preakness Stakes 2024 winner, payouts, results: Seize the Grey wins at Pimlico, Mystik Dan finishes 2nd, ending Triple Crown bid

Live updates from the 149th Preakness Stakes at Pimlico Race Course in Baltimore

PGA Championship Round 4 tee times: Collin Morikawa, Xander Schauffele tied atop packed leaderboard at Valhalla

Tee times for the final round of the PGA Championship in Louisville are here.

Tyson Fury vs. Oleksandr Usyk full results: Usyk stays undefeated, becomes undisputed with split decision win

Fury and Usyk finally fought for all of the heavyweight titles Saturday with the Ukrainian fighter coming out on top.

Preakness Stakes 2024: Seize the Grey wins in Baltimore, ending Mystik Dan's Triple Crown hopes

The Triple Crown is no longer in play.