A cybersecurity firm that analysed the Yahoo data breach affecting at least 500 million user accounts has told competing news organisations two very different stories of who actually carried out the hack.
In an analysis posted on its website, InfoArmor says “tessa88” — an anonymous but prominent figure in underground forums who sells stolen databases — was the first to mention Yahoo credentials for sale in Feb. 2016. The firm said that tessa88 was not the hacker, but acted as a proxy for those who carried out the attack.
The post itself does not actually say much about the hacker group behind the theft, except to say they were “professional blackhats who were hired to compromise” different organisations, to include Yahoo.
InfoArmor Chief Intelligence Officer Andrew Komarov “said that a state-sponsored actor from Eastern Europe commissioned and later paid the hacker collective $300,000 for the Yahoo data trove. He said he didn’t know if the hacks of the other social media companies were also commissioned by a state-sponsored actor, but believed it was likely,” wrote NBC News, in an article published Wednesday morning.
Then, just a few hours later, Komarov was quoted in the Wall Street Journal seemingly disputing his own assertion:
“We don’t see any reason to say that it’s state sponsored. Their clients are state sponsored, but not the actual hackers.”
The competing narratives add to the confusion surrounding the Yahoo hack, which resulted in the theft of at least 500 million user accounts by what the company said was a “state-sponsored” actor.
A person familiar with the matter told Business Insider that “Yahoo stands 100% behind its assertion” of a state-sponsored actor, but declined to offer further evidence in support of that claim.
It is possible that Komarov was trying to make a distinction between the alleged criminal hackers who were being paid by a government client, though a hacker group being paid by a state would rightly be considered “state-sponsored.”
Multiple phone calls to InfoArmor went unanswered.
The more important question is when, not who
Many want to know exactly who carried out the attack on Yahoo, but the most important question at this point is learning exactly when the company learned it had been breached.
That’s because Yahoo filed documents with the SEC on September 9 indicating there had “not been any incidents” of security breaches that could have an adverse affect on its business.
If it knew it had been hacked before that filing, the agency could rake the company over the coals over a lack of disclosure.
And if knowledge of the hack goes back even further than that — like before July, when Verizon agreed to buy Yahoo — the $4.8 billion deal could be in jeopardy.
A number of US Senators are also asking that question.
On Monday, Sen. Al Franken (D-Minnesota) and his colleagues wrote in a letter to Yahoo CEO Marissa Mayer: “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable.”
The letter went on to request a timeline of events surrounding the hack, among other questions. A Yahoo spokesperson told Business Insider the company had “received the letter and will work to respond in a timely and appropriate manner.”
Yahoo declined to comment on the date it first learned of the breach when asked again on Thursday morning.