The massive theft of Yahoo user data disclosed last week came from “professional” hackers seeking to profit from the breach, according to an analysis by security researchers.
“Yahoo was compromised in 2014 by a group of professional blackhats (hackers) who were hired to compromise customer databases from a variety of different targeted organizations,” the report said.
The researchers said the first mention of Yahoo data for sale on “dark” online markets occurred in April 2016.
They added that the vast majority of the data “is not legitimate,” and includes invalid, deleted and nonexistent accounts but that the attackers “misrepresented this data set in order to sensationalize and sell it for the purpose of monetizing” the data.
The hackers sold the data to “a state-sponsored party who had interest in exclusive database acquisition” and also to “cybercriminals who planned to use the data for spam campaigns against global targets.”
The hack occurred in late 2014 affecting some 500 million users worldwide, according to Yahoo’s disclosure last week.
It was not immediately clear if the disclosure would affect the sale of Yahoo’s core business to telecom group Verizon for $4.8 billion.
The news has drawn criticism from US lawmakers who question why it took Yahoo two years to publicly disclose the breach.
“We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week,” said a letter to Yahoo signed by six US senators
“Consumers put their trust in companies when they share personal and sensitive information with them, and they expect all possible steps be taken to protect that information.”
A cybersecurity firm that analysed the Yahoo data breach affecting at least 500 million user accounts has told competing news organisations two very different stories of who actually carried out the hack.
In an analysis posted on its website, InfoArmor says “tessa88” — an anonymous but prominent figure in underground forums who sells stolen databases — was the first to mention Yahoo credentials for sale in Feb. 2016. The firm said that tessa88 was not the hacker, but acted as a proxy for those who carried out the attack.
The post itself does not actually say much about the hacker group behind the theft, except to say they were “professional blackhats who were hired to compromise” different organisations, to include Yahoo.
InfoArmor Chief Intelligence Officer Andrew Komarov “said that a state-sponsored actor from Eastern Europe commissioned and later paid the hacker collective $300,000 for the Yahoo data trove. He said he didn’t know if the hacks of the other social media companies were also commissioned by a state-sponsored actor, but believed it was likely,” wrote NBC News, in an article published Wednesday morning.
Then, just a few hours later, Komarov was quoted in the Wall Street Journal seemingly disputing his own assertion:
“We don’t see any reason to say that it’s state sponsored. Their clients are state sponsored, but not the actual hackers.”
The competing narratives add to the confusion surrounding the Yahoo hack, which resulted in the theft of at least 500 million user accounts by what the company said was a “state-sponsored” actor.
A person familiar with the matter told Business Insider that “Yahoo stands 100% behind its assertion” of a state-sponsored actor, but declined to offer further evidence in support of that claim.
It is possible that Komarov was trying to make a distinction between the alleged criminal hackers who were being paid by a government client, though a hacker group being paid by a state would rightly be considered “state-sponsored.”
Multiple phone calls to InfoArmor went unanswered.
The more important question is when, not who
Many want to know exactly who carried out the attack on Yahoo, but the most important question at this point is learning exactly when the company learned it had been breached.
That’s because Yahoo filed documents with the SEC on September 9 indicating there had “not been any incidents” of security breaches that could have an adverse affect on its business.
If it knew it had been hacked before that filing, the agency could rake the company over the coals over a lack of disclosure.