Emerging Threats

Hacker sentenced to 5 years for 2014 Yahoo breach

Authored by a Symantec employee


Prosecutors describe Karim Baratov as an "international hacker for hire." A U.S. judge has now sentenced the 23-year-old Canadian to five years in prison for his role in the 2014 Yahoo data breach.

Yahoo breach affected 500 million Yahoo accounts

Baratov pleaded guilty in November 2017 to nine felony hacking charges, which included helping Russian government spies gain access to Yahoo email accounts. In his plea, he admitted to hacking thousands of webmail accounts over seven years, sending those accounts' passwords to a Russian spy in exchange for money.

The attacks allowed Baratov, co-defendant Alexsey Belan, and two Russian Federal Security Service agents to gain direct access to Yahoo's internal networks. And that access enabled them to target specific accounts of interest to the Russian spies. Those accounts belonged to journalists, business leaders, and others.

The Yahoo breach compromised some 500 million Yahoo user accounts. According to Yahoo, the exposed account information may have included names, email addresses, birth dates and, in some cases, security questions or answers. Encrypted passwords — jumbled so only a person with the correct passcode can read them — were also taken. Yahoo says it did not store credit card of other payment information in the affected system.

Baratov started hacking as a teen. He reportedly ran a no-questions-asked service, charging customers about $100 to obtain another person's webmail password through a fake password-reset page.

Yahoo hacker earned more than $1 million

Baratov reportedly collected more than $1.1 million in fees, using the money to buy a house and expensive cars. He said he didn't know he was working with the Russian spy agency.

In addition to the prison sentence, Baratov was also fined $250,000.

Baratov's arrest is the only one in this investigation. Co-defendant Belan and the two Russian spies reside in Russia and are unlikely to be extradited to the U.S. to face the charges against them.

Baratov's approach of using a fake password-reset page to trick folks into handing over their login credentials is a good reminder to avoid clicking on links without consideration. A safer practice would be to type in the desired URL to visit a website to reset your password — whether it's for an email, social media, or bank account.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.