A database of one billion stolen Yahoo accounts has been sold to at least three different buyers for $300,000 each, and the group selling the data and behind the 2013 intrusion—the largest data breach on record—is a criminal operation, not a state-sponsored attack group as Yahoo claims.
Andrew Komarov, chief intelligence officer at InfoArmor, said the attack against Yahoo was carried out by a group of four cybercriminals called Group E. The hackers are Eastern European and Russian speaking, and run an expansive business of selling compromised data, primarily to spammers.
Yahoo has stood by its claims that the 2013 breach was the work of nation-state attackers. Last week, Yahoo CISO Bob Lord disclosed that in August 2013 hackers stole data associated with more than one billion accounts and that the stolen data included names; email addresses; dates of birth, passwords hashed with the outdated MD5 algorithm; and encrypted and unencrypted security answers and questions. Yahoo said the intruders also obtained proprietary information from Yahoo’s network that allowed the attackers to forge cookies that allowed them to access accounts without authentication.
Lord said last week and in September, when Yahoo disclosed what it says is a distinct breach of its network that resulted in 500 million lost records, that state-sponsored attackers were responsible. Neither time did Lord identify the country responsible or their motivations, only to say that law enforcement is investigating.
Komarov disputes that claim. He says Group E hit Yahoo likely in the spring of 2013, and that one of its clients with nation-state interests was interested in exclusive access to the data. Group E, however, refused, Komaraov said, because of the widespread interest and greater potential earning by selling the Yahoo data to different parties.
“They are a big and long-term client of theirs from the past. The Yahoo deal was one of their latest deals with them,” Komarov said of Group E’s client. “It’s pretty interesting that some foreign intelligence service found a source on the underground (Group E) and they were their clients on compromised data for a pretty significant period of time. When the Yahoo data popped up, they tried to discuss with them an exclusive deal for close to $1 million. They were ready to acquire the Yahoo database on an exclusive basis for pretty serious amount of money. But Group E did not agree to this. They told them they work with different people, which confirmed the cybercriminal motivation. They will sell it but not on an exclusive basis.”
Group E targets large online services with large numbers of users, Komarov said. Their customer base of spammers can quickly monetize this data. The nation-state client, however, would likely be interested in parsing the stolen data differently. For example, spammers would be able to buy segments of stolen data according to geographical location, personal information and more. Since backup email data was also among the stolen Yahoo data, it’s believe a nation-state attacker would be interested in .gov or .mil addresses that are linked to Yahoo accounts as recovery email addresses. This would be the launchpad for spearphishing emails and targeted attacks.
Group E’s members have their own distinct skill sets and never sell directly to clients, nor do they have a presence in underground forums and markets, Komarov said. Two members of the team specialize in hacking web applications and network intrusions, specifically, while another is a database engineer who structures the stolen data and parses it for clients, while the fourth is a programmer who writes their data exfiltration attack tools. They have been linked to a number of high-profile hacks such as Dropbox, LinkedIn, MySpace and VKontakte (a Russian Facebook-like social network). Passwords from each of these hacks were dumped online this summer in a succession of leaks that put more than a billion credentials into the public eye.
The concern now is that the data has been in the hands of spammers and other hackers for more than three years. Spammers could generate massive amounts of spam from the stolen Yahoo data, with Group E and spammers monetizing the stolen database many times over. The issue of password reuse is a real risk given the relative ease with which MD5-encrypted passwords can be decrypted, as the hackers can try to takeover accounts at other online services using the stolen Yahoo credentials.
As for the recovery email data, the New York Times reported that data from 150,000 American military and government employees were included in the stolen data.
“This is ideal for espionage purposes,” Komarov said. “They could identify who were users of Yahoo from the government by parsing the backup email data. Many users link their personal Yahoo email with their official work emails. Bad actors can now easily navigate through this criteria. They’ve had three years to do anything they wanted.”
Yahoo, meanwhile, told the Times it could not verify InfoArmor’s conclusions, which were first reported by Bloomberg.
“The limited InfoArmor data set provided to us by Bloomberg, based on initial analysis, could be associated with the data file provided to us by law enforcement. That said, if InfoArmor has a report or more information, Yahoo would want to assess that before further comment,” Yahoo said.