An investigation conducted into the two Yahoo security incidents disclosed recently revealed the existence of a connection and led researchers to believe that the claim of 200 million accounts being stolen in 2012 is likely false.
In early August, a hacker claimed to possess 200 million Yahoo user accounts stolen from the tech giant back in 2012. The hacker, known online as Peace and peace_of_mind, had offered to sell the data for 3 Bitcoin on a marketplace called TheRealDeal, where he had previously sold hundreds of millions of Tumblr, Myspace, VK and LinkedIn accounts.
Then, earlier this month, Yahoo confirmed that attackers, which the company believes were sponsored by a nation state, breached its systems in 2014 and stole at least 500 million user accounts. Yahoo never confirmed the alleged 2012 incident, although some suggested that the company discovered the 2014 breach while investigating those claims.
Security firm InfoArmor launched an investigation and determined that the vast majority of the 200 million credentials were not associated with Yahoo accounts. Experts believe the data likely comes from multiple third-party leaks and that some of the credentials match only because people reuse passwords. It’s worth noting that some people questioned the validity of the 2012 dump ever since samples of the data were made available.
InfoArmor believes Peace faked the data after having a falling-out with tessa88, another hacker who recently offered to sell hundreds of millions of accounts stolen from various services. According to researchers, tessa88 and Peace exchanged stolen information, until the former was called out over fake and low-quality dumps.
However, evidence uncovered by InfoArmor suggests that there is a link between these cybercriminals and the threat actor that carried out the 2014 attack confirmed by Yahoo.
Researchers believe tessa88 is linked to the real Yahoo hackers through an unidentified actor that played the role of a proxy. This proxy allegedly obtained the Yahoo data from professional black hats in Eastern Europe and provided it to various other actors, including cybercriminals and a state-sponsored party that had been interested in exclusive database acquisitions.
Tessa88 had previously received accounts from the proxy and InfoArmor believes tessa88 and Peace expected to get the Yahoo data as well. However, since that did not happen, Peace created a fake dump and claimed it came from a 2012 breach.
According to the security firm, the 500 million accounts were stolen from Yahoo after the compromised database was divided into hundreds of equal parts. The files, which contained data organized alphabetically, were exfiltrated in segments.
InfoArmor said the actual Yahoo dump is still not available on any cybercrime forums. However, the data has been monetized by some cybercriminals and the company believes it might have also been leveraged in attacks targeting U.S. government personnel.
Yahoo breach aftermath
News of the breach has caused serious problems for Yahoo, just as the company’s core business is about to be acquired by Verizon for $4.8 billion. Some believe the incident could impact the deal, but Verizon has yet to comment.
Several class actions have been filed against Yahoo by customers, including people who claim to be directly affected by the breach.
Earlier this week, U.S. Senator Patrick Leahy sent a letter to Yahoo CEO Marissa Mayer asking how such a massive breach could go undetected for two years. Senator Mark Warner has asked the Securities and Exchange Commission (SEC) to determine if the company fulfilled obligations to keep the public and investors informed, as required by law.
Mayer reportedly neglected cybersecurity since she took over the company. According to The New York Times, current and former employees said the CEO focused on functionality and design improvements rather than security.
Alex Stamos, who left his CISO position at Yahoo last year to become Facebook’s CSO, was allegedly denied financial resources for proactive security solutions. Mayer is said to have also rejected a proposal to reset all user passwords fearing that the move would result in more users abandoning its services.