Report: Cybercriminals, Not State-Sponsored Actors, Likely Behind Yahoo Breach

Add Your Comments

The theft of 500 million Yahoo user credentials was carried out by a gang of cybercriminals based in Eastern Europe, and possibly not a “state-sponsored actor” as the company has claimed, according to a report from Arizona-based cybersecurity firm InfoArmor. The firm, which provides employee identity services and advanced threat intelligence, published the results of its investigation in a blog post on Wednesday.

InfoArmor analyzed intelligence from a variety of sources and concluded that many published accounts of the event contain significant inaccuracies.

SEE ALSO: Yahoo Says at Least 500 Million Accounts Breached in Attack

Yahoo announced the breach of 500 million user accounts last week, blaming the 2014 hack on “a state-sponsored actor.” The official statement and accompanying FAQ are directed at concerned Yahoo users, and as such no details of its internal investigation are included. Yahoo is about to be taken over by Verizon, making the disclosure even more troubling for the company.

“Unfortunately, the security community and press haven’t verified the dump and appear to be focused only on the significant number of records having @yahoo.com domain name,” according to the blog post. “For any experienced threat intelligence analyst, the price of 3 BTC (~ 1806.42 USD) for 200,000,000 Yahoo user accounts is suspiciously strange and has no rational explanation.”

The majority of the data for sale on the dark web by “peace_of_mind” and referenced above was not legitimate, InfoArmor says, but rather consisted of deleted, invalid, and nonexistent accounts. InfoArmor alleges that two actors attempting to resell data from the Yahoo breach expected to receive the stolen credentials from the real hackers after meeting certain conditions of monetization – which they were unable to do.

In the end, InfoArmor identifies two involved groups – English-speaking resellers, and a group of professional Eastern European blackhats. InfoArmor does not discount the possibility of state involvement, but rather identifies four hackers responsible for at least ten hacks, including breaches at LinkedIn, Dropbox, and MySpace. A U.S. government source familiar with Yahoo’s investigation told Fortune that there is no hard evidence yet that a state was behind the attack.

InfoArmor notes that the actual Yahoo data dump appears not to be available anywhere, and that sales have been specific to criteria like geography. The company suggests that the breach could have led to targeted attacks against U.S. government personnel.

As for Yahoo’s deal with Verizon, a statement issued by the telecom indicates that it was informed just days before the news became public, and that it will “evaluate as the investigation continues through the lens of overall Verizon interests” what course to take.

Add Your Comments

  • (will not be published)