- Brian Ach/Getty Images
A cybersecurity firm that analyzed the Yahoo data breach affecting at least 500 million user accounts has told competing news organizations two very different stories of who actually carried out the hack.
In an analysis posted on its website, InfoArmor says “tessa88” – an anonymous but prominent figure in underground forums who sells stolen databases – was the first to mention Yahoo credentials for sale in Feb. 2016. The firm said that tessa88 and another dark web broker called “Peace of Mind” were not the hackers, but acted as proxies for those who carried out the attack.
The hacker group “used these two guys to broker that data out,” Bryon Rashed, senior director of marketing at InfoArmor, said in a phone interview.
The post itself did not actually say much about the hacker group behind the theft, except to say they were “professional blackhats who were hired to compromise” different organizations, to include Yahoo.
InfoArmor Chief Intelligence Officer Andrew Komarov told NBC News “that a state-sponsored actor from Eastern Europe commissioned and later paid the hacker collective $300,000 for the Yahoo data trove. He said he didn’t know if the hacks of the other social media companies were also commissioned by a state-sponsored actor, but believed it was likely,” according to an article published Wednesday morning. (An InfoArmor rep later disputed NBC’s account to Business Insider, and said that InfoArmor does not think the attackers were state sponsored. NBC has not updated its story.)
Then, just a few hours later, Komarov was quoted in the Wall Street Journal seemingly disputing that assertion:
“We don’t see any reason to say that it’s state sponsored. Their clients are state sponsored, but not the actual hackers.”
The competing narratives add to the confusion surrounding the Yahoo hack, which resulted in the theft of at least 500 million user accounts by what the company said was a “state-sponsored” actor.
A person familiar with the matter told Business Insider that “Yahoo stands 100% behind its assertion” of a state-sponsored actor, but declined to offer further evidence in support of that claim.
The more important question is when, not who
Many want to know exactly who carried out the attack on Yahoo, but the most important question at this point is learning exactly when the company learned it had been breached.
That’s because Yahoo filed documents with the SEC on September 9 indicating there had “not been any incidents” of security breaches that could have an adverse affect on its business.
If it knew it had been hacked before that filing, the agency could rake the company over the coals over a lack of disclosure.
And if knowledge of the hack goes back even further than that – like before July, when Verizon agreed to buy Yahoo – the $4.8 billion deal could be in jeopardy.
A number of US Senators are also asking that question.
On Monday, Sen. Al Franken (D-Minnesota) and his colleagues wrote in a letter to Yahoo CEO Marissa Mayer: “We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans’ data may have been compromised for two years. This is unacceptable.”
The letter went on to request a timeline of events surrounding the hack, among other questions. A Yahoo spokesperson told Business Insider the company had “received the letter and will work to respond in a timely and appropriate manner.”
Yahoo declined to comment on the date it first learned of the breach when asked again on Thursday morning.
This post was updated on 9/29 at 12:30 p.m. PDT with new information from InfoArmor.