Today, our email accounts are one of the most precious digital assets that we have with us. It is almost impossible to imagine yourself functioning online without an email account these days. Which would explain why every second more than 3 million emails are sent out. And most people don’t think twice before sending out another email with the assumption that their emails are well secure and their privacy won’t be compromised. The reality is far from different.
Below, we look at some of the most significant email breaches in this century, which serves as an eye opener as to why emails aren’t as safe as you think they are.
In 2004, an AOL employee, Jason Smathers who had no authorization to access AOL’s database, gained access to it using the computerized employee identification code of another employee. He stole information from 92 million user accounts and sold them to an online marketer called Sean Dunaway for approximately $100,000. The information eventually ended up in the hands of unidentified spammers, who bombarded the stolen email addresses with millions of emails (around 7 billion unsolicited emails to be precise), with an objective to peddle herbal penile enhancements products. While the concept of cybercrime was still novel to the judicial system, the accused received a lenient punishment for his crimes. The company on the other hand had to bear a cost of $400,000 to millions of dollars.
For the past couple of years, ever since it happened — Yahoo has topped the list when it comes to the largest data breaches in history. The company went public with the breach nearly 3 years after the hack took place initially in 2013, revealing that about a billion user accounts were compromised. And it took them another 10 months to reveal that it might have been 3 billion user accounts. This breach should not be confused with the one they had again in 2014, which again came to public’s attention two years later, having affected almost 500 million user accounts.
It is said that the breach occurred because of poor security practices. The hackers had used phishing as a tool to get access to Yahoo’s network. An employee with the access to Yahoo’s networks had clicked on malicious links which led the hackers right in. The information stolen, allowed the cyber attackers to access user email accounts and calendars associated with them. The hackers were able to obtain email addresses, date of birth, user account names, phone numbers, and in some cases it was reported that encrypted or unencrypted security questions and answers were stolen as well.
In the aftermath, by 2016, the victims of the breach had filed 23 lawsuits against Yahoo, arguing that the breach had caused an intrusion into their personal financial matters. In 2019, the matter was finally settled with Yahoo agreeing to pay $117.5 million, which would pay for various compensations including out-of-pocket expenses that could relate to identity theft, paid user costs, lost time, and small business user costs.
While the company did not provide any statements to the public reassuring them that the company has recommitted to invest more towards its cyber security, they did however, pledge to to avoid such incidents in future by: invalidating user unencrypted security questions and its answers, upgrading systems that monitor and prevent unauthorized access; and by requiring all affected users affected or unaffected to reset their passwords.
U.S. Federal Government Data Breach
This may be one of the most sophisticated and stealthy hacks that took place beginning 2019. Suspected Russian state sponsored hackers accessed the build systems of the software company called SolarWinds, possibly through its Microsoft Office 365 account. The hackers had used SolarWinds’ network management software, Orion, by covertly inserting malicious codes into their software updates. After receiving proof of concept from the first software update, they began to establish a command-and-control infrastructure in the compromised software. Their next course of action was to plant remote access tool malware into each of Orion’s updates, which acted as a trojan of sorts. After a user would install the compromised software update, the malware payload would be executed, and would remain dormant for upto 2 weeks before attempting to communicate with multiple command-and-control servers in place. A successful communication between the malware and a command-and-control server would indicate successful malware deployment, which would then offer the hackers a back door to further exploit the system, if required.
The malicious updates of Orion were installed by about 18,000 users at that time, including high profile clients, Fortune 500 companies and at least nine U.S. federal agencies like the Pentagon, Department of Homeland Security, treasury department, Cybersecurity and Infrastructure Agency, federal prosecutors’ office. It was later clarified that there were reports of highly sensitive emails being breached and stolen in all the affected federal government agencies. According to the Department of Justice, in the four US attorney offices in New York, 80% of Microsoft accounts which were being used by them were breached. They also added that 27 U.S. attorney offices in New York had at least one employee with an email account compromised. Dozens of email accounts and networks at the Treasury department were breached, which were associated with high ranking officials. The hackers had also gained access to email accounts associated with the acting homeland security secretary and members of the cybersecurity team as well.
Microsoft Exchange Server
In the beginning of 2021, Microsoft Exchange Server, which is an email infrastructure, calendar and collaboration solution was being exploited by using four zero-day vulnerabilities. A Chinese nation-state group dubbed Hafnium by Microsoft, infected about 60,000 global users with malware, which included 30,000 U.S. governmental and commercial organizations. The vulnerabilities identified were able to provide the hackers with access to email accounts, and also provided them with an ability to install malware which also allowed them to enter into the servers again at a later time.
Microsoft’s Corporate Vice President, Customer Security & Trust, Tom Burt had described the three steps that the hackers may have taken to to breach the Exchange Server:
“First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access – run from the U.S.-based private servers – to steal data from an organization’s network.”
Microsoft, had released security updates to fix the vulnerabilities dating back to 2010, 2013, 2016 and 2019 versions of Exchange, telling us that the vulnerabilities had been lurking in the Microsoft Exchange Server code base for about 10 years. The exploit was limited to self-hosted servers and not the Exchange Online.
We all remember the controversy surrounding the release of The Interview, a comedy film about two Americans who are sent to assassinate North Korean leader Kim Jong Un. It was around the time before that, during November 2014 when the corporate network of Sony Pictures was hacked, by a group who calls itself the Guardians of Peace. The group was believed to have associations with North Korean in one way or another. About 46,800 employees and contractors had been exposed to identity theft consisting of stolen social security numbers and scanned passports. The hackers demanded the cancellation of the release of The Interview while threatening to leak the stolen information and commit acts of terrorism against movie theatres. Though the studio initially bowed down to the demands, it reversed its decision later on and released the film in certain theaters and online as well.
More than 100 TBs worth of private data was taken by the group and deleted the original files from the Sony computers, which consisted of the following:
- Company information
- Email exchanges between the employees
- Employee data
- Information about actors
- Other sensitive information like social security numbers, scanned passports and employee salaries
- Internal passwords
- Unpublished scripts
- Marketing plans
- Financial information
- Legal information;
- Four unreleased Sony movies
During 2015, all the hacked emails had been released online at large by WikiLeaks. The hack cost Sony Pictures at least 35 million dollars plus the revenue which was lost for not screening the film The Interview.
It was concluded that the hack took place because of a lack of defense-in-depth approach to their cybersecurity. The Sony network was not layered enough to prevent the breach. The group initially had hacked into one server which then led them to the rest. The combination of weak passwords, lack of server hardening, lack of timely response to the threat, inadequate monitoring and logging, and lack of Security Education Training and Awareness (SETA) had contributed to the hack.