On 22 September 2016, Yahoo’s CISO Bob Lord confirmed to the world that in 2014 a “state-sponsored actor” had made off with the account information of at least 500 million Yahoo users.
Whoever perpetrated the hack not only stole those affected users’ names and email addresses but also nabbed other important bits of personal information, including their dates of birth, phone numbers, (thankfully bcrypt-hashed) passwords, and unencrypted security answers.
The attackers weren’t able to some important pieces of information, however. As Lord explains in his original statement:
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
At the time of Lord’s disclosure, we at Graham Cluley Security News noted how Yahoo had not shared any information about how it arrived at the attribution of a state-sponsored actor.
It seems we might have been right to have raised a querulous eyebrow at that part of the company’s announcement.
Identity protection firm InfoArmor says it has found evidence that suggests state-sponsored actors weren’t responsible for Yahoo’s massive hack:
“Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations. Some of their initial targets, which occurred in 2012 and 2013, are linked directly with the recent large scale data breaches of social media networks and online-services such as MySpace, Tumblr and LinkedIn. Other well-known brands have been impacted by this group but the data stolen from them is not currently available for sale or validation in the underground, as of the writing of this report.”
The security company says news first surfaced of leaked Yahoo credentials from one “tessa88”, who acted as a proxy between hackers and buyers of stolen login credentials.
The user announced Yahoo credentials for sale in a post to an underground marketplace on 3 April 2016.
Several months later, “tessa88” formed a partnership with Peace_of_Mind aka “Peace,” who then published 200 million records from the Yahoo dump in August after an actor known as “InstallsBuyer” blocked “tessa88” for providing access to poor-quality stolen data and not refunding buyer’s purchases.
But much of the data in that particular posting wasn’t legitimate.
InfoArmor elaborates on that point:
“After extensive analysis and cross reference against the data breach intelligence systems of InfoArmor, it was determined that the dump is based on multiple third party data leaks, which have no relation to Yahoo. Presumably, the threat actor specially misrepresented this data set in order to sensationalize and sell it for the purpose of monetizing his efforts following the negative impact of his relationship with tessa88.”
Peace had expected to receive the real data dump from a group of hackers known as “Group E,” to whom “tessa88” had connections. That never happened for some reason.
As of this writing, the real Yahoo breach of 500 million users’ account information has not appeared on the dark web.
InfoArmor reports Group E sold the data to one of their proxies “or further monetization based on the sale of particular records from the dump.” Little is known about Group E other than the fact that it might consist of five people: one non-technical member responsible for monetization of stolen data and four others who are technical, according to Threatpost.
Going forward, InfoArmor urges that the security community evaluates unknown threat actors’ claims carefully:
“InfoArmor recommends that the Security Community use appropriate due diligence in evaluating any threat actor claims regarding legitimate data sources. Given the nature of the relationships between threat actor groups, proxy organizations and parsing of data, as shown above, enterprises, agencies and individuals are encouraged to be on high alert for espionage, infiltration, and impersonation. InfoArmor will continue to monitor this situation and provide further updates as pertinent information becomes available.”
For more information, please read InfoArmor’s report.