Yahoo attack not 'state-sponsored,' researchers claim

InfoArmor says that not only was customer data sold in the underground, but the damage is far more extensive than reported.
Written by Charlie Osborne, Contributing Writer

Yahoo's claims that a 2014 hack which resulted in a data leak of at least 500 million user accounts was state-sponsored has come under fire from cybersecurity experts.

Earlier this month, Yahoo confirmed a data breach which took place in 2014. The tech giant said that the cyberattack may have affected roughly 500 million user accounts, however, information security firm InfoArmor believes otherwise.

According to an investigative report released by InfoArmor this week, the actual number of Yahoo accounts leaked could affect more than one billion users, far more than the 500 million reported -- which included "dormant and bot accounts" which are useless to cybercriminals.

In addition, when Yahoo disclosed the breach the firm said it believed a "state actor" was responsible for the cyberattack. State-sponsored threat actors tend to work for political or business gain, have access to more resources than your average hacker and may have directions from above on what companies or organizations to attack.

At the time, Yahoo claimed:

"A copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers."

Yahoo did not provide any technical evidence to support the claim the attack was state-sponsored. InfoArmor now suggests otherwise; stating that Yahoo was actually compromised by a group of professional blackhats known as "Group E," of which the company has been tracking for a number of years.

The group, believed to be from Eastern Europe, stole the database and has sold the dump several times; twice to cybercriminals which plan to use the data for spam campaigns, and once to a state-sponsored actor.

The Wall Street Journal reports that a number of Yahoo accounts included in the dump were decrypted by InfoArmor to show at least some of the data up for sale is legitimate. The stolen data includes Yahoo login IDs, ZIP codes, recovery email addresses, phone numbers and dates of birth.

Andrew Komarov, InfoArmor chief intelligence officer told the publication:

"We don't see any reason to say that it's state-sponsored. Their clients are state sponsored, but not the actual hackers."

See also: Yahoo's delay in reporting hack 'unacceptable,' say senators

Considering Verizon is in the closing stages of acquiring the company for $4.8 billion, this disclosure could not have come at a worse time.

Top tips to stay safe on public Wi-Fi networks

Editorial standards