The Yahoo hackers weren't state-sponsored, a security firm says

Elite hackers-for-hire were actually behind the breach, according to InfoArmor

Common criminals, not state-sponsored hackers, carried out the massive 2014 data breach that exposed information about millions of Yahoo user accounts, a security firm said Wednesday.

Yahoo has blamed state actors for the attack, but it was actually elite hackers-for-hire who did it, according to InfoArmor, which claims to have some of the stolen information.   

The independent security firm found the alleged data as part of its investigation into "Group E," a team of five professional hackers believed to be from Eastern Europe.

"According to our information, most of the group's clientele are spammers," said Andrew Komarov, InfoArmor's chief intelligence officer.

InfoArmor's claims dispute Yahoo's contention that a "state-sponsored actor" was behind the data breach, in which information from 500 million user accounts was stolen. Some security experts have been skeptical of Yahoo's claim and wonder why the company isn't offering more details.

The database that InfoArmor has contains only "millions" of accounts, but it includes the users' login IDs, hashed passwords, mobile phone numbers and zip codes, Komarov said.

The security firm says it obtained the data from "operative sources" about a week ago and has verified that the account information is real. Komarov wouldn't say more about how InfoArmor got the data.

Group E has sold the stolen Yahoo database in three private deals, Komarov said. At one point, the Yahoo database was sold for at least $300,000, he said. His firm has been monitoring the group's activities for more than three years. 

InfoArmor also claimed that Group E was behind high-profile breaches at LinkedIn, Dropbox and Tumblr. To sell that information, the team has used other hackers, such as Tessa88 and peace_of_mind, to offer the stolen goods on the digital black market.

"The group is really unique," Komarov said. "They're responsible for the largest hacks in history, in term of users affected."

However, in the case of the Yahoo database, which was taken before Dec. 2014, Group E hasn't made it generally available on the black market, according to Komarov. Group E wants to preserve the database's value. Other hackers have claimed to offer it for sale, but they were actually selling fake information, he said.

Yahoo didn't respond to a request for comment. The company hasn't offered any evidence supporting its claim that state-sponsored hackers carried out the attack.

Other security experts are split over InfoArmor's findings.

Alex Holden, Chief Information Security Officer at Hold Security, said InfoArmor's claims were mostly consistent with what he had found in his own investigations. However, he added, "Right now we do not know with full confidence who was behind the original breach in 2014, and if there was only one breach."

Vitali Kremez, a cybercrime analyst at Flashpoint, is more skeptical of InfoArmor's findings. "They might have jumped the gun too early on this," he said.

He questioned discrepancies between the database that InfoArmor obtained and what Yahoo said was stolen. For example, Yahoo said passwords hashed with the bcrypt algorithm and security questions may have been lifted as part of the breach. The data InfoArmor uncovered only contains passwords hashed with the MD5 algorithm, and no mention of security questions, he said.

"Yahoo said that the stolen passwords used bcrypt. Why would they lie about that?" Kremez said. "It's possible that InfoArmor has a different data set."

InfoArmor's Komarov said his company is happy to work with law enforcement, Yahoo and other independent parties to examine the data he's recovered. A sample of the data is available in the company's findings.

IDG News Service tried some of the sample login IDs and found that Yahoo recognized some. The login IDs also didn't appear to be recycled from other leaked databases. However, Yahoo didn't recognize some of the other IDs.

Komarov said that although most of Group E's clients are spammers, they had at least one customer who was a state-sponsored actor. The stolen Yahoo database might have been used to target U.S. government officials, InfoArmor said in its report. 

Join the CSO newsletter!

Error: Please check your email address.

More about DropboxHoldenIDGNewsYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place