The massive 2014 breach of more than 500 million user credentials was carried out by an Eastern European criminal gang, not a state-sponsored group as Yahoo claims, a cybersecurity firm has said. According to a new report by Arizona-based InfoArmor, the hackers, dubbed "Group E", sold the stolen Yahoo data to at least three clients, including one state-sponsored actor.
Last week, the tech giant disclosed that sensitive user information including names, phone numbers, email addresses, birth dates, encrypted passwords, and in some cases, unencrypted security questions and answers of more than half a billion user accounts were compromised in late 2014 in what has been called the "biggest data breach in history".
While Yahoo said it believes a nation-state actor was behind the breach, but did not provide any technical evidence, InfoArmor claims that the Yahoo hackers were criminals after reviewing a small sample of compromised accounts provided by The Wall Street Journal.
The security firm, which the WSJ reports seems to have access to portions of the Yahoo database, managed to successfully crack the passwords for eight Yahoo accounts and provided the phone numbers, birth dates and ZIP code information associated with them.
"Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations," InfoArmor said in a report. "The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur."
According to InfoArmor chief intelligence officer Andrew Komarov, the hackers have a track record of selling personal data on the Dark Web and were also previously linked to other high-profile breaches at other websites including LinkedIn, Tumblr and MySpace.
"We don't see any reason to say that it's state sponsored," Komarov told WSJ. "Their clients are state sponsored, but not the actual hackers."
According to the firm's research, Group E used other hackers including Tessa88 and peace_of_mind to offer the data dumps on the digital black market.
However, the firm has not specified how it obtained access to the database or why Yahoo did not reveal the scope of the breach for almost two years. InfoArmor also declined to respond to WSJ's inquiry into why it believes the hackers are Eastern European.
WSJ reported that the database seemed to be taken from Yahoo sometime before 4 December, 2014, based on the passwords recovered by the firm.
Attributing cyberattacks to a specific threat actor is considered especially difficult by both research and intelligence officials and experts, given the fact that some cybercriminals may decide to offer stolen sensitive information to government agencies or even offer their illegal services for hire.
Six Democratic senators slammed Yahoo on Tuesday (27 September) saying it was "unacceptable" that the tech company only recently revealed the massive hack and demanded immediate answers from Yahoo chief Marissa Mayer about the company's investigation into the breach. Yahoo was also hit with a class-action lawsuit last week accusing the company of gross negligence.
Meanwhile, many investors and experts have expressed concerns over the impact of the major breach on the ongoing takeover deal with telecom giant Verizon, which bought the company's core business $4.8bn (£3.6bn) in July. Verizon said it will "evaluate" its position as the investigation continues.