Talk:Yahoo! data breaches/GA2

GA Review
The edit link for this section can be used to add comments to the review.''

Nominator: 06:34, 2 April 2024 (UTC)

Reviewer: Schierbecker (talk · contribs) 18:17, 22 April 2024 (UTC)

This article appears to still be a little ways off from GA.


 * The lede name-drops Karim Baratov in the lede, but doesn't identify his profession or nationality.
 * Fixed. :)
 * When did Yahoo contact law enforcement?
 * It's actually not clear they did - their own press release (and their SEC filing) suggests that law enforcement came to them: https://help.yahoo.com/kb/account/SLN27925.html?impressions=true but in general there is a very little information in reliable sources.
 * How did Yahoo come to learn about the breaches?
 * Per the above, there's a suggestion that they were informed by law enforcement, there's a suggestion that they found out about it from press asking about account data being available on the dark web, and there's a suggestion in a press release that they were doing their own investigation. I've not been able to find reliable sources that cover it.   Their filing at  https://web.archive.org/web/20170110014942/https://investor.yahoo.net/secfiling.cfm?filingID=1193125-16-764376&CIK=1011006 says "In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014. Based on further investigation with an outside forensic expert, the Company disclosed the Security Incident on September 22, 2016, and began notifying potentially affected users, regulators, and other stakeholders."


 * What effects did the 2013 breach have on users/Yahoo? When was this discovered? This breach affected six times as many accounts but there is hardly any information about it. Was it less sensitive in nature?
 * You are right. It's massive and it was broadly ignored (I mean, there was a congressional hearing but it found nothing of substance) I was extremely pleased I was able to find a source positively saying the negative: i.e. that Yahoo had released no information.


 * at least two others accessed user account information connected to Belan?
 * Fixed.


 * Yahoo also claimed that there was no evidence that the attackers were still in the system Was this proven? Article suggests otherwise.
 * It's a [very specific denial](https://tvtropes.org/pmwiki/pmwiki.php/Main/SuspiciouslySpecificDenial) right? That was Yahoo's claim at the time. The indictment against Belan suggests Belan was operating well past that time, but I opted to show both sources with editorialising.


 * From October 2014 to at least November 2016, Belan and at least two others accessed user account information Using the fruits of the 2014 breach?
 * Yes, that is the understanding. I can make this a bit more obvious in the text if you like?


 * The filing noted that the company believed the data breach had been conducted through a cookie-based attack The September filing or the November filing?
 * Fixed (The November filing of finances covering the period up to the 30th September) I've also clarified some of the nearby language.


 * it was reported that account names and passwords for about 200 million Yahoo accounts were presented for sale on the darknet market site. Which darknet site? Was this related to the 2014 breach? Do we know if anyone purchased them?
 * I'm a little confused by the first bit of the question - the darknet site is 'The Real Deal' but that's already in the text so I might need some clarity. Regarding the other questions: Yahoo hasn't released any information about which breach it might have been related to (or even if it's real), and I don't believe I have any sources covering if it was purchased.


 * Did Russia cooperate with the investigation? Was the FSB organization implicated as a whole or was this the work of agents doing unsanctioned work for the FSB on their own initiative (or even moonlighting off the clock for their own personal gain)? Which accounts did the FSB agents target. (edit: Dmitry Dokuchaev was one of those charged. He has a Wikipedia article. He should be mentioned by name. Maybe Igor Anatolyevich Sushchin too.)
 * I've linked both Igor_Sechin and Dmitry Dokuchaev. Sadly I don't have any sources from the FSB about how they feel.  We have some light information about the FSB agents targeting 'people of interest to the regime' but nothing that really produces content (and I think it would be a magnet for some fringe contributions)

pending improvements. Schierbecker (talk) 18:17, 22 April 2024 (UTC)


 * Wonderful! Thank you so much for your review. I'll pop back shortly to do proper replies/fixes - I suspect that the answer to some of your questions is "Yahoo refuses to give any information about this and thus there are no relable sources one way or the other", but I can make some changes on the basis of this :) Joe (talk) 12:04, 23 April 2024 (UTC)
 * Right, I've fixed an array of things and replied to all comments. Apologies for how many of the answers are "There isn't really a source for that" I did do quite a bit of digging... Joe (talk) 18:49, 24 April 2024 (UTC)
 * Hi, can I check in and see what's left to do? I'm aware that the clock is ticking and I don't want to miss out on the GA because I forgot to response to a particular comment :) Joe (talk) 06:42, 27 April 2024 (UTC)
 * It appears that Igor Sushchin is linked to the wrong guy. Will take a look tomorrow. Schierbecker (talk) 07:22, 27 April 2024 (UTC)
 * Definately the wrong guy (his age is about ten years different on the indictment compared to the wiki article) Joe (talk) 19:10, 30 April 2024 (UTC)


 * Russia denies responsibility
 * I've used this source now :)


 * More details
 * I've used this source now :)


 * p. 1262. Also mention Stamos.
 * I found a paragraph I'd removed previously and resurrected it (with your excellent source above)


 * Alexey Belan linked twice. Also who is he? Give a brief background. How did he escape prosecution? Where is he believed to be? Did the U.S. request his extradition? WP:BLPCRIME applies. Make sure that all unproven allegations are presented as such.
 * So I'm a little nervous here. On the one hand I don't want to add much content for exactly BLPCRIME reasons - all that we actually know is that he's been accused.  The other problem is that Belan's own Wikipedia article is magnificently low on content.  We could say that he was last known to be in Krasnodar Russia (per https://www.fbi.gov/wanted/cyber/alexsey-belan) but the major issue there is that page is showing signs of having barely been updated since before the breach...  Is this in one of the GA criteria or is this more of a 'nice to have' thing? Joe (talk) 11:10, 1 May 2024 (UTC)
 * I guess we don't know for sure that he fled? Just that his last known location was in Russia? You could say that. Just make sure to attribute this to the FBI. Use Internet Archive to lock down when the FBI said this. Schierbecker (talk) 15:38, 1 May 2024 (UTC)


 * When was the August 2013 breach disclosed?
 * Fixed :)


 * Images should be left at the default size per WP:THUMBSIZE.
 * I think this is done, I'm not sure. :)


 * Use MOS:DATECOMMA. This article is specific to the U.S., therefore it is obvious we are dealing with U.S. currency. MOS:$.
 * Done :)


 * [[tq|Judge Koh rejected the settlement offer,}} Need his first name. In this case I don't think his name is important, so it can just be removed.
 * Done :)

Schierbecker (talk) 20:57, 30 April 2024 (UTC)


 * Former CEO Marissa Mayer Should say "Former CEO Marissa Mayer, who was CEO at the time of the breach"
 * Done :)


 * Still one MOS:$ issues
 * Found! :)


 * Heading should be in sentence case per MOS:HEAD
 * Done :)


 * wl Article 29 Data Protection Working Party. Unquote, as it is a proper name. Wl names in image captions. It's not considered overlink. Briefly describe each individual and their relevance to the matter in the captions.
 * Done :)


 * His memoir, written after his release, Try "His memoir published in YEAR".
 * Done :)


 * Did Yahoo lose users over this? They had somewhat of an IBM-esque mojo about them: They were bleeding users before this but were mounting a come-back. They had recently purchased Flickr. I remember Mayer being this sort of Sheryl Sandberg-type figure girl boss who went from hero to zero. (did her resignation have anything to do with the security issues Yahoo had under her watch?)
 * Your memory of the culture at the time matches mine; I'd love a source that suggested that the breach was a factor, but I haven't found one, and I wouldn't expect to: it is genuinely amazing how little a splash the whole thing made overall. I think Mayer went basically because she wasn't able to make the shareholders enough money.


 * What nationality is Yahoo?
 * American, and then owned (mostly) by another technically American company. I'm happy to put that in, but I also feel like the company is multinational enough that it's not particularly in context. (Like, Sony is a Japanese Company but that's not mentioned (and I would argue, not particular relevant) in 2014_Sony_Pictures_hack (you can argue that because it used to be Columbia Pictures, it's an American Company owned by a Japanese one but we end up a long way from the actual topic.Joe (talk) 20:01, 8 May 2024 (UTC)


 * I like this quote from Krebs on Security where he calls it "yet another reason I’m telling people to run away from Yahoo email." p. 1283 of that AU Law Review pdf I linked is also very quotable.
 * It's a great quote for an anecdote - I'm just wary about using it in an encyclopedia (and I spent a lot of time cleaning up random incorrect quotes in a previous version of this article that I am a little anti) - I don't mind much either way tho. The AU Law Review source is genuinely extremely good and I'm glad you found it. You have probably noticed I'm periodically sneaking it in to back up other things. Joe (talk) 20:01, 8 May 2024 (UTC)


 * Yahoo would be more readable in running text if it did not have punctuation.
 * Fixed, one snuck in when I copied from a previous version.


 * Probably no reason to mention the name of the credit-monitoring service Yahoo offered its users.
 * DOne


 * Should mention Dokuchaev was maybe under arrest in Russia at the time of the indictment. "United States officials said Wednesday that they were not certain if the Dmitry Dokuchaev arrested in December was the same man as the one named in the indictment."
 * I'm paywalled for that one, I'm fine for you to throw it in tho...Joe (talk) 20:01, 8 May 2024 (UTC)


 * In a letter to Mayer, six Democratic U.S. Senators Did she respond?
 * I believe not. There's a stonewalling press comment at and then a letter letter from the chairs of the relevant Senate committee complaining about lack of information (https://www.commerce.senate.gov/services/files/35ecbbeb-9fc1-4913-9448-c8d29807f93c) so I get the impression it was just stonewalling.


 * Before trial could commence Before the trial?
 * I have gone with 'a' - 'any' might also work


 * enlisted a Canadian hacker, Karim Baratov, to break into accounts Try "enlisted Canadian hacker Karim Baratov to break into accounts"


 * In June 2016, it was reported that account names and passwords for about 200 million Yahoo accounts Try "In June 2016 account names and passwords for about 200 million Yahoo accounts were listed for sale" on the darknet market site TheRealDeal." No comma before TheRealDeal. The source says "supposed credentials". Did further investigation substantiate whether this was real? Was "Peace"'s identity ever tied to an individual (or is alleged to be an individual) named in the FBI's indictment or in other inquiries? See p. 1271 in that pdf. Here Peace seems to claim he's just a data broker and is unsure of the providence of the material, saying it may have been from 2012. It's unclear if this alleged breach is one of the two this article deals with or a third breach.
 * Fixed the comma :)
 * the AU article is the strongest source we have, but it's all still alleged and vague and rests on the word of an anonymous criminal. It's relevant to the article in that it's (allegedly) what prompted Yahoo to take a look at their severs, but the FBI indictment that went out (which I feel is our strongest source) doesn't reference it (I think, I should double check that)Joe (talk) 20:01, 8 May 2024 (UTC)


 * wl/define the type of attacks used in this breach. Was Cookie poisoning used? I believe I've also seen the term "spear phishing" used to describe what Baratov did. Is there a glossary or wiktionary entry to link to?
 * Baratov's book is annoyingly vague and slightly hard to believe on the topic of his methods. I would have bet that it boiled down to 'just spear phishing all day' but his memoir has a lot of things in it that are incompatible with that (breaking into accounts with lost passwords for example). In general Yahoo claim there was some evidence of Cookie Forging - but the FBI indictment covers a wide spread of different techniques all of which are things done _after_ access was gained. I'd bet it was originally speak phishing (because these things always turn out to be) but I don't have a clear unequivocal source.

Next batch

 * Relevant. "Mr. Bennett said the F.B.I. was still investigating a separate, larger breach of one billion Yahoo accounts that occurred in 2013 but was disclosed by the company only three months ago. Yahoo has said it has not been able to glean much information about that attack, which was uncovered by InfoArmor, an Arizona security firm." The indictment was filed in February 2017 and unsealed in March: "The Justice Department’s 47-count indictment, which was filed under seal in Federal District Court in San Francisco on Feb. 28, immediately threatened to escalate diplomatic tensions over Russia’s meddling in the November election." Is this true?: "The Russian government used the information obtained by the intelligence officers and two other men to spy on a range of targets, from White House and military officials to executives at banks, two American cloud computing companies, an airline and even a gambling regulator in Nevada, according to an indictment.
 * So, there's some other sources about Infoarmour - they (along with a bunch of other security firms who I feel were looking for publicity) broadly looked at the some forums to see if anyone was selling a billion records and didn't find anything conclusive. I'd assume that NYT is a reliable source, but this quote looks like an error given that it doesn't match up with any statements by Yahoo or law enforcement.
 * For the diplomatic tensions bit - I imagine it did threaten to, but it's like two months before this sort of thing https://web.archive.org/web/20170515224247/https://www.nytimes.com/2017/05/15/us/politics/trump-russia-classified-information-isis.html so I don't think it was really a blip in the wild ride that is US-Russia relations.
 * The quote about the targets is I think almost verbatim from the inditement. I haven't got a reason to doubt it but on the other hand I'm trying to presume innocence...Joe (talk) 06:05, 25 May 2024 (UTC)

Baratov, the only man arrested, was extradited to the United States when?
 * Fixed


 * In late November, Ireland's Data Protection Commissioner (DPC) This sentence could be split up. Yahoo was not investigating the breach but just examining it What's a better way of saying this? That the DPC was unsatisfied with the thoroughness of Yahoo's investigation? awaiting information from Yahoo on allegations that it helped the U.S. government scan users' emails, a whopper of an accusation (also echoed by Sputnik). Was this allegation connected with either of the two breaches that this article talks about? If so, say so.
 * That sentance was a mess and I've redone it.

Instead, Yahoo last week posted an alert on its website asking users who were potentially affected by the breach to “promptly change their passwords,” as well as any security questions and answers used to access their accounts. I'll send a screenshot if you need.
 * Worth mentioning? The New York Times reported Wednesday that Yahoo Chief Executive Marissa Mayer “had rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach."
 * I'm 50-50. There's a lot of different quotes from fairly good sources we can use to take a swing at Mayer (who was clearly in charge and who clearly wasn't prioritising security), but I'm worried about a) UNDUE WEIGHT and b) overcompensating for the lack of technical details about the breach my making the article a hit-piece.  Joe (talk)


 * Avoid language that is likely to become outdated. (e.g. including two that work for Russia's Federal Security Service (FSB)).
 * Fixed


 * Marissa Mayer had reportedly denied Stamos and his security team sufficient funds to implement recommended stronger security measures, recommended by who?
 * Reworded


 * Single quotes should only be used in news headlines and quotes within quotes.
 * Fixed in a couple of places.


 * CEO Lowell McAdam said he wasn't shocked by the hack CEO of what company? Did Verizon renogotiate the deal as a result of the disclosure, as suggested here?
 * I've reworded so it's clear he's CEO of Verizon. It's certainly suggested by a bunch of outlets that there was a big negociation, and their probably was, but we have no sources in the room where it happened.


 * Mayer's equity compensation bonus for 2016 and 2017 was pulled. totaling $14 million. (p. 1279) Lots of good info here.
 * Added.


 * Democratic is capitalized in one instance but not the other.
 * Fixed


 * Yahoo eventually agreed to settle strike unnecessary word "eventually". the FBI officially charged four men strike word "officially".
 * Fixed


 * Yahoo's previous SEC filing on September 9, prior to the breach announcement The first SEC filing was filed to fulfill a regulatory requirement for the Verizon sale? Should say so.
 * Not entirely sure I follow this? Joe (talk) 06:05, 25 May 2024 (UTC)


 * Verizon only become aware of the 2014 breach just two days prior to the Yahoo's It should be noted that Yahoo disclosed this to Verizon. (p. 1271, AU Law Review)
 * Fixed


 * Identify nationality of Alexey Belan in body at first mention.
 * Done


 * After Yahoo was identified by Edward Snowden as a frequent target for state-sponsored hackers, it took the company a full year before hiring a dedicated chief information security officer, Alex Stamos implies that Stamos was hired to shore up security as a result of the Snowden leak, which highlighted security weaknesses at Yahoo. Was that so? Also the way this was written implies that Yahoo was slow to act on the revelations and that his hiring was overdue? True?
 * That's certainly what a selection of sources say. I don't particularly like the inference but I think it was added in as a response to some of your earlier comments?


 * That's all the comments I have for now. If you answer these you'll be about 90 percent of the way through this review. I look forward to your edits. Schierbecker (talk) 19:34, 1 May 2024 (UTC)
 * This looks great. I’m going to take a few days away from the internet for mental health reasons (happily unrelated to Wikipedia, obviously)but will be right on it when back. Joe (talk) 17:50, 2 May 2024 (UTC)
 * Take all the time you need. Schierbecker (talk) 18:44, 2 May 2024 (UTC)

Next Split

 * Lede
 * Neither breach was revealed publicly until September 2016. Try "Although Yahoo was aware" and use active voice. Maybe a good place to highlight the compartmentalization at Yahoo. Also somewhere in the body of the article.
 * Hmmm... I don't know how much I buy that compartmentalization was any more or less than at equivilent companies... it feels like a leap when we don't even have technical details for the breaches?


 * One MOS:$ in the lede.
 * My reading of MOS:$ was that the first usage should be "US$"?


 * I know Yahoo operates around the globe, but it would be appropriate to mention that it is an American company to explain jurisdiction and why the FBI was involved.
 * I'm game, but it was also investigated by other countries? I think this has come up before and we don't have a clear steer from MOS...


 * Spell out and wl SEC. wl, U.S. Congress.
 * Done.


 * significant implications for Verizon Communication's acquisition of Yahoo. Should mention that the acquisition was happening contemporaneously.
 * I've popped the year in.


 * August 2013: breach


 * No information has been released about the method used. Use for statements likely to become dated.
 * Done, good tip!


 * Early 2014: security culture at Yahoo


 * Need nationality of Edward Snowden and claim to fame.
 * Done (finding a short word for Snowdon took a while!)


 * it took the company a full year a bit arguementative. Be a little more objective. Marissa Mayer had reportedly denied Stamos If I recall from the source correctly, this allegation should be attributed to Stamos, right? he departed the company by 2015. does the source say why?
 * Rewored - I don't think the quotes I've found are attributed (I do think they come from him, but...)


 * Late 2014: breach


 * Give nationality and main claim to fame of Alexey Belan at first mention.
 * Done.


 * User Account Database should probably be uncapitalized
 * Hmmm, I'm vaguely sure it's capitalised in the indictment. Also it's a proper noun right? Because it's the core example. Like: there are many caves that have bats that would be batcaves, but Batcave is capitalised? Joe (talk) 06:30, 25 May 2024 (UTC)


 * "Journal of comparative international management" proper noun?
 * Ha! Fixed.


 * Belan and at least two hackers connected to him accessed user account information "Belan and allegedly two..." since these individuals haven't been prosecuted.
 * I've reworded the start of the section to make it clear that it's not set.


 * July 2016 to October 2017: public disclosures


 * The Federal Bureau of Investigation (FBI) confirmed when?
 * Within 24 hours (on the basis it's in the the articles that are from the 23rd) but I don't have a particular source.


 * In a regulatory filing in 2017, SEC? Mention the agency.
 * Done


 * all three billion user accounts try "all three billion Yahoo accounts".


 * Done


 * Prosecution


 * The four men accused include Alexsey Belan, a hacker on the FBI Ten Most Wanted Fugitives list, presumably you mean that Belan was on the FBI most-wanted list, not that there was another individual that was also on the most-wanted list.
 * Reworded.


 * wl FSB in the image caption and also mention nationality.


 * Done


 * The FBI claimed that Karim Baratov was paid by Dokuchaev and Sushchin to use data obtained by the Yahoo breaches to breach Is there another way to say this without repeating the word "breach". Use active voice (i.e. "D. and S. paid").


 * rewritten


 * Class action lawsuits


 * uncapitalize "Judge"
 * Done


 * number of respondents in the class did you mean to write "in the class action lawsuit"? Or is this the appropriate way to write this?
 * Reworded to be much more correct.


 * International
 * On October 28, 2016 probably don't need the exact date.
 * Done


 * at the request of U.S. intelligence services in a letter refs should go after punctuation.
 * Done


 * They asked Yahoo to communicate all aspects of the data breach to the EU authorities, spell out EU.
 * Done


 * Yahoo was not investigating the breach but just examining it still needs work. See earlier suggestion. Schierbecker (talk) 16:22, 22 May 2024 (UTC)
 * Okay, thank you for being patient - I think I've covered everything outstanding? What do you think? Joe (talk) 13:24, 25 May 2024 (UTC)
 * Dealt with earlier.

The final stretch
Nearly there.


 * lede
 * These incidents not only editorializing a bit. Try "These incidents led to the indictment of four individuals linked to the latter breach, including the Canadian hacker Karim Baratov who received a five-year prison sentence and also prompted widespread criticism of Yahoo for their delayed response.
 * Done


 * Maybe note that this was allegedly state-sponsored.
 * Done


 * "Implications" is too weak of a word. Maybe "complications".
 * Done


 * August 2013
 * There's a stray period in the first sentence
 * Done


 * As of 2024, no information has been released about the method used. WP:FAILEDVERIFICATION. Try "As of 2017 Yahoo had been unable to determine the cause of the 2013 breach."
 * Done


 * Former CEO of Yahoo Marissa Mayer, who was CEO repetitive. Try "Marissa Mayer, who was CEO of Yahoo at the time of the breach."
 * Done


 * Early 2014
 * Overlinking Mayer.
 * Done

believed to by the US Justice Department extraneous word
 * Late 2014
 * Done


 * Link Surviving Data Breaches
 * Done


 * July 2016
 * "$12million" should be 12 million
 * Done


 * July 2016 to October 2017
 * Mention that Yahoo thought the hack was state sponsored.
 * Done


 * Prosecution


 * Class action lawsuits
 * One uncited statement
 * Done


 * the plaintiffs contend use past tense
 * Done


 * International
 * Would like to know the outcome of Ireland's Data Protection Commissioner investigation if known.
 * Done


 * General commenets/questions
 * "US" or "U.S.", pick one.
 * Done - I picked "U.S."


 * U.S. Securities and Exchange Commission is not wikilinked at first mention, but further down. Spell out at first mention.
 * Done


 * I would definitely mention that Yahoo is headquartered in the U.S. What's the first question that emergency services asks you when you call for help? It's where are you? It is important for establishing the jurisdiction. Imagine that you are an alien or Zoomer who doesn't know about Yahoo. Never is it mentioned that the servers are located on U.S. soil, so it may be disorienting to you as a reader to read that the FBI is extraditing people from Canada. Also one line reads, "Foreign governments have also shown concerns on the several data breaches." Foreign to where?
 * Done


 * Did Yahoo apologize to users for the breach?
 * Mayer certainly did at congress https://www.reuters.com/article/idUSKBN1D825V - (there's a cute fact about the volentary testimony at the bottom) but Yahoo certainly didn't at the initial disclosure. It's an odd PR 'thing'. I can definately put Mayer's bit in somewhere?


 * Re:compartmentalization: I would at least mention that Mayer said she was unaware of the breach.
 * I think I might have missed that in the sources? Can you point me in the right direction.


 * I would incorporate some of the information alleged by Infoarmor, highlighting where it's analysis differed from the FBI and Yahoo. (WSJ). At minimum I would add:
 * That Infoarmor believed the hacking group was Eastern European.
 * That the group sold the bulk Yahoo data three times, but switched to an à la carte model in 2015.
 * That contrary to Yahoo's claim, it believed the hacking group was profit-motivated, not state-sponsored, but that some of their clients were state sponsored.
 * Added with a certain amount of discretion.


 * WSJ claims that Yahoo contacted the FBI within weeks of the 2014 breach. It's important to tread carefully here as the WSJ wasn't able to fully connect this event to the event described by this article.
 * That's a different event - it's included in a few other sources.


 * A very useful source: ArsTechnica.
 * With my computer-person hat on - it's nice that the FBI said this but it's entirely within what one would privately expect: the vast marjority of large scale breaches are spear-phishing and the only thing suprising here is that Yahoo's logging was bad enough that they don't know who got phished, or, it appears, much else about the whole affair.


 * Let me know if you would like access to any of the paywalled sources in this article. Schierbecker (talk) 17:00, 25 May 2024 (UTC)


 * This batch has been processed! Thank you so much for all your work on it :) Joe (talk) 06:39, 27 May 2024 (UTC)

✅ Congratulations! Schierbecker (talk) 15:21, 29 May 2024 (UTC)