Earlier this week, the world learned that Yahoo has been hacked — in a very, very big way. At some point in 2013, cybercriminals made off with the records of more than 1 billion users, including names, birth dates, phone numbers, passwords that were encrypted in an easily broken manner, security questions and backup email addresses used to reset lost passwords.
What happened to all that data for three years? No one exactly knows. But sometime in August, a hacking collective based in Eastern Europe quietly began offering the whole database for sale, according to Andrew Komarov, chief intelligence officer at InfoArmor, an Arizona cybersecurity firm that specializes in the dark web. And the bids are coming in — so far, three known buyers (two spammers and a spy) have paid around $300K each for a full copy of the database.
The breach is the largest data breach in history — and made more disturbing by the fact that Yahoo was totally unaware it had happened until earlier this week. It also doesn’t know who broke into its system or why.
This is the second big breach for Yahoo this year — it was already investigating an incident from 2014 that only saw 500 million passwords disappear into the cyber-ether. That hack was believed, by Yahoo, to have come from a government source.
Mr. Komarov said in an interview on Thursday that his company obtained a copy of the database and over the last few months alerted military and law enforcement authorities in the United States, Australia, Canada, Britain and the European Union. Some of those groups went to Yahoo with their concerns.
InfoArmor did not.
Mr. Komarov noted that early attempts to do so through an intermediary led to Yahoo dismissing their claims — and that Yahoo was always unlikely to investigate the breach since it could threaten the sale to Verizon.
Yahoo said Thursday that it could not verify Mr. Komarov’s claims, which were made public in a Bloomberg article on Wednesday.
“The limited InfoArmor data set provided to us by Bloomberg, based on initial analysis, could be associated with the data file provided to us by law enforcement,” the company said in a statement. “That said, if InfoArmor has a report or more information, Yahoo would want to assess that before further comment.”