Was troubled tech giant Yahoo really breached by a state-sponsored hacker?

Yahoo protects its customers from state-sponsored hacks by sending them email notifications if suspicious activity is detected on their accounts. However, if explanations about the massive 2014 breach are to be believed, the firm failed spectacularly to uncover such an attack on its own systems.

As the dust settles following the public acknowledgement of the hack – which lost half a billion names, email addresses, telephone numbers, dates of birth and hashed passwords – many are beginning to speculate if the excuse of a 'state-sponsored' actor could possibly be true.

In its initial statement, Yahoo said: "A recent investigation has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor."

However, not everyone is willing to accept this claim at face value. "There are questions to be answered around Yahoo's claim that this was a state-sponsored hacker," said Jeremiah Grossman, an expert with cybersecurity firm SentinelOne who spent over two years as an information security officer with Yahoo.

Grossman, noting the previous appearance of a figure called 'Peace' who put hundreds of millions of Yahoo accounts up for sale on the Dark Web in August, said that it's possible there were actually two different breaches at Yahoo. "State-sponsored adversaries don't typically publicly share stolen data or sell it," he said. "Peace was all about selling stolen Yahoo account data, so it's unlikely he was state-sponsored.

"In terms of the motivation as to why a nation state might target Yahoo, there are some parallels between this and the Google Aurora attacks in 2010. Nation-state sparring is playing out on networks like Yahoo because they're a valuable source of information on your opponent's strategy.

"If you are a nation state and want to determine if any of your domestic spies have been discovered, you put taps on Google, Yahoo, Microsoft etc. rather than government networks. Of course, there is always the motivation to deanonymise political dissidents."

According to Bloomberg, at least two sources "familiar with the Yahoo investigation" have claimed the link to nation-state hackers is "not iron-clad". Until technical evidence is provided, everyone appears to be openly sceptical of the firm's claims.

"In blaming a 'state-sponsored actor' Yahoo seems to be trying to tell us 'there's nothing we could do.' JPMorgan tried a similar tactic, with little success, after a 2014 hack," wrote columnist Tim Culpan after news of the hack broke. "It's as if foreign governments are expected to be able to breach any firm's cyber-security measures, and corporations should be forgiven. That's bunkum."

Burning questions still need answers, said Chris Hodson, an expert at cybersecurity firm Zscaler which has worked with everyone from the UK's National Health Service (NHS) to the United States Marines.

"With no technical details included in Yahoo's report about how the data was exfiltrated, just that it was, it's impossible to assess credibility of the 'state sponsored' claim without this," he said. "In this instance, we can only speculate that the 'state sponsored actor' claim was made with a view to placating the general public.

"It might well be that Yahoo has had support from government departments and that attribution has been possible but equally, 'state-sponsored' is often prefixed to 'actor' in an effort to suggest sophisticated and surreptitious means of data exfiltration. We simply do not know."

After the hacking of the Democratic National Committee (DNC) in July this year, a slew of breaches have been linked to 'nation state' hackers. Attribution, however, remains famously difficult.

Sean Sullivan, a cybersecurity expert with F-Secure, told IBTimes UK he remains "sceptical" about the claims that Yahoo was targeted by a state actor – however said there were a number of examples to back up such speculation.

"Taking an educated guess I would think that China might be interested for the sake of accessing Chinese account holders," he said. "Which is to say, I think that is a reasonable motive to attribute to China. My other thought is maybe it is just a mercenary group, one that has worked with nations in the past. So that is why it's mentioned as something that the FBI is focused on. Governments are some of the big customers that mercenaries serve so it can [often] look the same."

Concerned about the Yahoo hack? This is how you can check if you're impacted and what you should do next.