In August 2013, hackers infiltrated Yahoo and stole over a billion account details: usernames, hashed passwords and security questions. Three years later, a security expert has claimed the full batch has already been sold numerous times on the Dark Web for thousands of dollars.
Andrew Komarov, chief intelligence officer at cybersecurity firm InfoArmor, has claimed a set of Eastern European hackers – who he has dubbed "Group E" – successfully sold the database containing "up to a billion" Yahoo accounts at least three times for roughly £300,000 each.
The hacking collective began discussing the data breach in August this year, Komarov told Bloomberg. The researcher, who regularly monitors underground forums for leaks, believes the hackers are the same group that targeted major websites including LinkedIn, Myspace and Dropbox.
Komarov said two of the buyers were known spammers, however the third – he claimed – may have been a foreign intelligence agency because they specifically requested a list of 10 US and foreign government officials to prove authenticity before making the purchase.
Komarov said he was able to "intercept" a copy of the database during a sale, which he then shared with the US government because it contained sensitive information on accounts belonging to White House staffers, FBI agents, military officials and even National Security Agency (NSA) operatives.
The US government then informed Yahoo, which launched a probe into the claims. Nearly a month later, on 22 September, Yahoo made the first public acknowledgment it had suffered a major breach of at least 500 million accounts. Yet the researcher said something was still amiss.
The copy of Yahoo accounts he had obtained was different from the type Yahoo was discussing in its official media statements. He told Bloomberg that his version had "minimal encryption" and that he quickly suspected the firm may have suffered a second major hack.
In late October this year, Komarov said he alerted law enforcement in the US and UK to the possibility of a second breach. A month later, in a legal filing to the US Securities and Exchange Commission (SEC) on 9 November, Yahoo admitted it was probing the new information.
This week (Wednesday 14 December), the firm confirmed it had suffered what is now considered the largest data breach ever to hit a major company. In an investor statement, Yahoo said it did not know the identity of the culprit but believes it may be a "state-sponsored actor."
According to the New York Times, InfoArmor did not contact Yahoo directly, instead choosing to only go through police channels because it did not trust the firm to investigate the incident properly as the leaks had the potential to scupper the ongoing Verizon takeover deal, worth $4.8bn.
Komarov said the database is still for sale on the Dark Web however the price significantly dropped to roughly $20,000 after Yahoo enforced password and security question changes. "There is now huge interest in Yahoo's database," he told the NYTimes.
Komarov's account appears to shed light on the timescale of events that led to the release of the user data – yet questions remain.
It is unclear about where the data was between August 2013 and August 2016. Details also are vague about the sellers of this data, the so-called "Group E" collective.
IBTimes UK reported in August, the same month Komarov claims to have come across the billion-strong database, how a seller with the pseudonym "Peace" had listed 200 million Yahoo accounts on the Dark Web for three Bitcoin (equivalent to £1,395, $1,838, at the time).
Peace, who also used the name "Peace_of_Mind" as a Dark Web vendor, told Wired in an interview he was once part of a Russian hacking group that targeted major technology firms.
The mysterious figure said that once his hacking group disbanded, leaks from 2012/13 that were previously only shared with an "inner circle" started to appear online – including 160 million accounts from LinkedIn and over 360 million from former social networking giant Myspace.
Yahoo has said that it cannot yet verify Komarov's claims. "The limited InfoArmor data set [...] based on initial analysis, could be associated with the data file provided to us by law enforcement," a statement read. "That said, if InfoArmor has a report or more information, Yahoo would want to assess that before further comment," it added.