In August 2013, hackers penetrated the email system of Yahoo, one of the world’s largest and oldest providers of free email services. The attackers quietly gained access to the details of over 1 billion users. Names, email addresses, birth dates, phone numbers, and passwords were all stolen in this mega online theft. Security questions and backup email addresses used to reset lost passwords were also stolen and now it turns out that the full database is available for purchase online
Yahoo had absolutely no clue about this hack until a third-party notified the company this year. The company had reported another breach in September this year that affected 500 million users’ data. While Yahoo has no idea who was the perpetrator, in its announcement, the company said the 2013 breach seemed to be linked to the 2014 hack by “state-sponsored” hackers.
As if 2016 wasn’t shitty enough for Yahoo, which admitted to two separate breaches that saw 500 million users’ and then 1 billion users’ details stolen by hackers. No one knows what happened to the data during the last three years. But last August, a geographically dispersed hacking collective based in Eastern Europe quietly began offering the whole database for sale. It’s believed that the hacker group that breached Yahoo is based in Eastern Europe, but the company said it still doesn’t know if this is accurate or not.
The New York Times reports that a billion-user database was sold on the Dark Web last August for $300,000, That’s according to Andrew Komarov, chief intelligence officer at InfoArmor, an Arizona cybersecurity firm, who monitors the dark corners of the internet inhabited by criminals, spies and spammers. He told that three buyers, including two prominent spammers and another who might be involved in espionage tactics purchased the entire database at the aforementioned price from a hacker group, paid about $300,000 each for a complete copy of the database, he said. This means each account is worth just $0.0003 to hackers. The database of 1 billion Yahoo accounts is currently receiving bids as low as $50,000 since the data is much less valuable now as Yahoo has forced a password reset.
Yahoo still does not know who broke into its systems in 2013, how they got in or what they did with the data, the company said Wednesday.
What’s even more worrying is that Yahoo allegedly wasn’t even aware of the breach until some US intelligence agencies notified it of the incident earlier this month, after obtaining evidence of the attack from an unknown source. This certainly doesn’t spell good news for the company’s efforts to sell its core business to Verizon.
The attack, which Yahoo disclosed on Wednesday, is the largest known data breach of a company. And neither Yahoo nor the public had any idea it had occurred until a month ago, when law enforcement authorities came to the company with samples of the hacked data from an undisclosed source.
The two huge breaches revealed this fall threaten to erode consumer confidence in the company and are endangering its deal to sell its internet businesses to Verizon Communications for $4.8 billion. On Thursday, Yahoo’s stock plunged 6 percent as investors worried that Verizon would abandon the purchase.
The company’s deal with Verizon is also in limbo. Verizon had asked for a billion dollar discount on the $4.8 billion deal after the September announcement of the breach that affected 500m users. Following Wednesday’s news, the company is weighing its options and might just walk away.
Hackers also gained access to personal data of millions of military and civilian government employees from a number of countries. Mr. Andrew Komarov said in an interview on Thursday that his company obtained a copy of the database and over the last few months alerted military and law enforcement authorities in the United States, Australia, Canada, Britain and the European Union about the breach. After those parties verified the authenticity of the stolen records, he said, some of them went to Yahoo with their concerns.
“The limited InfoArmor data set provided to us by Bloomberg, based on initial analysis, could be associated with the data file provided to us by law enforcement,” the company said in a statement. “That said, if InfoArmor has a report or more information, Yahoo would want to assess that before further comment.”
The Federal Bureau of Investigation said in a statement that it was investigating the Yahoo breach. Attorney General Eric T. Schneiderman of New York also said his office was in touch with Yahoo to examine the circumstances of the data breach.
Security experts and former government officials warned that the real danger of the Yahoo attack was not that hackers gained access to Yahoo users’ email accounts, but that they obtained the credentials to hunt down more lucrative information about their targets wherever it resided across the web.
“This wasn’t an attack against Yahoo, but rather reconnaissance to launch other campaigns,” said Oren Falkowitz, a former analyst at the National Security Agency who now runs Area 1, a Silicon Valley security start-up.
“Inactive or not, a billion user accounts and hashes means attackers have a golden key for new phishing attacks,” he said. In a phishing attack, a hacker often poses as a trusted contact and tries to induce the recipient of an email to click on a malicious link or share sensitive information.
Users routinely ignore advice to use different passwords for their different accounts across the web, which means a stolen Yahoo user name and password could open the door to more sensitive information in online-banking, corporate or government email accounts.
Mr. Komarov said the group that hacked Yahoo in 2013, which he calls Group E, appeared to be motivated by money, not politics.
It is believed to have broken into the systems of major American internet companies like LinkedIn, Myspace, Dropbox and Tumblr, as well as foreign-owned services like VKontakte, a Russian social network similar to Facebook.
That database of 1 billion Yahoo accounts, Mr. Komarov said, is still for sale, although current bids are coming in at $20,000 to $50,000 since the data is much less valuable now that Yahoo has changed the passwords.
“There is now huge interest in Yahoo’s database,” he said. “We know that there will be some new deals.”