You might have missed the biggest hack ever ... so let's un-bury the lead. Here's the real story behind the Yahoo hack
Breach is a new podcast I am hosting with producer Alia Tavakolian of Spoke Media. It's an investigation into the Yahoo hack, which was the biggest hack ever. You can listen to episode 1 by clicking on the play button here, or by going to Stitcher or iTunes. There's a partial transcript below if you aren't quite persuaded to join the podcast world just yet.
Epiosde 1 sets the scene for what's to come later: details of an alleged Russian conspiracy, including our jailhouse correspondence with one suspect who's already pleaded guilty. But here, I explain why the Yahoo hack is so much more than your run-of-the-mill smash-and-grab-credit-card-numbers kind of hack.
BOB:
So picture a strongbox, and then picture you know your mom actually is the keeper of the strongbox for the whole extended family. So maybe there's like 20 of those strongboxes in the basement, and now let's let's double that another time let's say your mom is actually the keeper of the strongbox for the whole town - that might be the records office in town hall or something right, so that's a lot of birth certificates that's a lot of primary data. Now I want you to picture not not just all those strong boxes in the basement of town hall, but strong boxes in the basements of every town hall in America. And now I want you to picture a tool that lets a criminal find exactly the birth certificate they want in less than a second for any purpose whatsoever, and outside of this magical facility we’re imagining is like a guy holding a golden retriever saying stay away. That's the struggle that IT security teams face right now. The responsibility is enormous as you might imagine, you know the resources are always not quite there. ALIA:
So you're telling me a criminal could essentially just command F or control F that treasure trove of information and find whatever she or he wants?
BOB:
I need to find who Alia’s high school boyfriend was. Bang.
ALIA:
That's terrifying.
Do you think the people understood the complexity and the implications of what information was taken from Yahoo?
BOB:
Absolutely not, no. One of the biggest problems with it - like the Yahoo hack for example I mean we’ve been struggling with it here. The more you look at it, the bigger it gets. You know it began as okay so you know some hundreds of millions of passwords, but that’s happened before. No, now we know it's this massive Russian conspiracy.
ALIA:
I really feel like you buried the lead Bob. Bob, when we started this, I just thought this was a story about a big data breach, and then you tell me it’s a massive Russian conspiracy with a cast of characters. I mean, it's- it's an adventure!
BOB:
An adventure is one way to put it. The US Government has indicted someone connected to the Russian Government in relation to this hack; that's never happened before. It's really rare that we catch the bad guys in these kinds of crimes. In fact it's really rare that we even learn how they were done or or who a suspect is or or point even a finger at a nationstate or a group or anything. In this case not only do we have suspects, we have an indictment. The indictment is one of the most colorful indictments I've ever read. It's just full of detail about these foreign actors, some of them with direct links to the Russian government.
ALIA:
This is so wild to me. So okay break this down for me. You said earlier that this is like a heist like an Ocean's Eleven heist.
BOB:
It is. It’s an operation that involves many layers and many different kinds of expertise and involves handoffs. It involves a lot of wink wink from the Russian government, Russian FSB, the security force there, folks who have long-standing reputations in the Russian hacking community were involved. And it involves an awful lot of data that that ultimately-
ALIA:
So wait, is this like a James Bond movie ‘From Russia with Love.’
BOB:
Oh this is a spy movie for sure.
ALIA:
Yahoo the spy movie, not heist.
BOB:
Yeah, there’s nobody hoping to actually throw a bag of gold coins onto a train and run away in this movie. This movie is all about gaining an upper hand in a cyber war. People have been warning about a cyber 9/11 for so long that it used to be called a cyber Pearl Harbor. We’re in this data Cold War already. It’s already started.