Yahoo’s admission that the personal data of half a billion users has been stolen by “state-sponsored” hackers leaves pressing questions unanswered, according to security researchers.
Details, including names, email addresses, phone numbers and security questions were taken from the company’s network in late 2014. Passwords were also taken, but in a “hashed” form, which prevents them from being immediately re-used, and the company believes that financial information held with it remains safe.
The company confirmed the breach in a statement on Thursday night, but its statement, and a follow-up notification sent out to customers on Friday morning, raised as many questions as it answered.
Chief among them was why disclosure took so long, both from the date of the hack, almost two years ago, and from the first appearance of the dumped data on the dark web almost two months ago where it was being sold by a user named “Peace of Mind”, who had also sold dumps of data from MySpace and LinkedIn.
Jeremiah Grossman, head of security strategy at infosec firm SentinelOne, said: “While we know the information was stolen in late 2014, we don’t have any indication as to when Yahoo first learned about this breach. This is an important detail in the story.”
Grossman, who ran information security for Yahoo’s engineering department until 2001, added that the company’s claims that the attacker was “state-sponsored” also need additional scrutiny. “State-sponsored adversaries don’t typically publicly share stolen data or sell it, like profiteer hacker ‘Peace of Mind’.
Peace of Mind was all about selling stolen Yahoo account data, so it’s unlikely he was state-sponsored. And if so, this means it’s possible we’re looking at two different Yahoo breaches with two different hacking groups in their system.”
Read more at The Guardian.