The company promptly started its investigation and last week confirmed the data breach, dated back at 2014 revealing that a nation-state actor has exposed at least 500 Million Yahoo user accounts.
But, now it seems that the Yahoo data breach is much extended.
The experts from the intelligence firm InfoArmor that investigated the incident claim the Yahoo data breach is the result of a cyber attack conducted by cyber criminals that later sold the Yahoo user accounts to an Eastern European nation-state actor.
“Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations. Some of their initial targets, which occurred in 2012 and 2013, are linked directly with the recent large scale data breaches of social media networks and online-services such as MySpace, Tumblr and LinkedIn. Other well-known brands have been impacted by this group but the data stolen from them is not currently available for sale or validation in the underground, as of the writing of this report.” states a blog post published by InfoArmor.
Experts from InfoArmor confirmed that the first hacker who offered for sale the huge trove of data is a threat actor nicknamed “tessa88,” he acted as a proxy between the actual bad actors.
The presence of tessa88 as a mediator allowed the hackers who breached the company to mask their identity.
“tessa88, registered on several underground communities, was the first to mention that Yahoo account credentials were available for sale. According to operative sources and long-term analysis, tessa88 acted as a proxy between the actual bad actors responsible for one of the largest hacks in history and potential buyers from various underground communities.” continues the analysis published by the company.
Peace_of_Mind then acted as a partner with tessa88, but soon the two have had serious misunderstandings documented by InfoArmor.
A recent update on the investigation indicates that the number of affected Yahoo user accounts compromised may be between 1 Billion and 3 Billion.
According to former Yahoo executive who has spoken under a condition of anonymity, the Yahoo architecture aggregates all the user authentication data in a single database, a circumstance that suggests that the volume of compromised data is greater than revealed by the company.
“I believe it to be bigger than what’s being reported,” the executive, who no longer works for the company but claims to be in frequent contact with employees still there, including those investigating the breach, told Business Insider. “How they came up with 500 is a mystery.” reported the Business Insider.
“But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion.”
According to the source, all of Yahoo’s products share a central user database for its services, including Yahoo Mail, Finance, and Sports.
At the time of the data breach (2014), there were roughly 700 million to 1 billion active users.
The hackers compromised not only Yahoo account credentials, but also personal information included in their records such as dates of birth, phone numbers, hashed passwords, and unencrypted security answers.
Why Did Yahoo report the 500 Million number?
The sad aspect of the story is that Yahoo could have protected its users with a password reset, but according to the New York Times, the CEO Marissa Mayer gave the firm different priorities penalizing the security.
Let’s wait for a Yahoo!’s reply.
(Security Affairs – Yahoo Data Breach, cybercrime)