One billion Yahoo! accounts still on sale, despite hacking indictments
For sale: one billion Yahoo! accounts, $200,000 or best offer. The passwords don’t work, but the dates of birth, telephone numbers and security questions could still be useful to an adept cyberthief.
After federal prosecutors unsealed indictments this week against four men they say were responsible for a 2014 intrusion into Yahoo!’s systems that affected 500 million user accounts, data on one billion accounts — stolen in another attack on the company a year earlier — appeared to remain available on underground hacker forums on Friday.
The authorities were tight-lipped about their investigation of the 2013 attack, which is the largest known breach of a private company’s computer systems. The 2014 hacking of Yahoo!’s servers is the second largest.
“We’re not willing to comment right now if there is a connection between the two investigations,” Malcolm Palmore, who oversees the Federal Bureau of Investigation’s cybersecurity division in San Francisco, said on Wednesday in a brief interview after the government unveiled the indictments.
But the two attacks share some common characteristics and may be linked in some fashion.
Both of them involved highly skilled Russian hackers, according to cybersecurity experts who have studied the attacks. In both cases, the hackers had links to the Russian government. And in both cases, at least some of the data was used to send spam to Yahoo! users.
Alexsey Belan, the technical expert who was charged with breaking into Yahoo!’s systems in 2014 at the behest of two Russian intelligence officers, has a long record of cybercrime.
In 2012, he was indicted on three felony charges for hacking the computer systems of Zappos, the online shoe retailer owned by Amazon, and stealing information on as many as 24 million customers.
In 2013, Belan struck again, hacking into Evernote and Scribd, two digital document storage services, according to a federal indictment filed against him that June. Law enforcement authorities arrested him in Greece later that year, but he posted bail and fled to Russia.
Cybersecurity experts who have studied the incidents say the 2013 attack on Yahoo! was most likely carried out by a different person. InfoArmor, an Arizona cybersecurity firm, has attributed it to a group of cyberthieves it calls Group E. That group sold the entire database at least three times, including once to an entity that InfoArmor believes was connected to the Russian government.
The indictment against Belan filed this week is vague about how he and his three co-conspirators gained access to Yahoo!’s systems.
Alex Holden, founder of Hold Security, a cybersecurity firm, said one prevailing theory in the industry was that Belan capitalised on the earlier breach. He said the person or people behind the 2013 intrusion probably sold, traded or were forced to share their access to Yahoo!’s systems with Russian intelligence services. The two Russian intelligence agents indicted in the 2014 breach are accused of using that access to conduct their own spying operation with the assistance of Belan and another conspirator in Canada.
The database of one billion accounts was on offer for $200,000, which Holden, the Hold Security founder, called “an exorbitant amount of money.” The asking price for a single address is $10,000.
The sellers claimed to have continued access to Yahoo!’s systems. But when Holden, posing as a buyer’s representative, asked them to prove their access by giving him data about two new accounts, they could not do so.
Yahoo!, for its part, has said that the security holes exploited by the hackers have been patched up.