As challenges mount against Yahoo’s attribution of a massive 2014 data breach to state-sponsored hackers, CISO Bob Lord yesterday confirmed that a cache of 200 million Yahoo accounts marketed this summer in an underground forum is unrelated to the breach.
Speaking at the Structure Security conference in San Francisco yesterday, Lord said the incidents were independent of one another and that Yahoo could not verify that the hacker known as Peace indeed had Yahoo account data for sale in July and August. Lord did say that Yahoo’s investigation into the solicitation on the dark web market known as The Real Deal did prompt a closer look at Yahoo’s network and infrastructure, and led to its discovery of the 2014 breach.
In the meantime, Peace and another hacker called tessa88, both of whom were tied to a string of large password dumps this year, have been exposed as merely resellers of stolen data, proxies between hackers and buyers. The 200 million records they claim to have were not stolen from Yahoo, but were compiled from numerous third-party breaches and leaks. Connecting this data to a potential Yahoo breach may have been hype at the time to monetize the data, much of which was considered “garbage” by experts. In-fighting and distrust of their activities got one of them banned from a number of underground forums, and may have prompted an ongoing DDoS attack against The Real Deal marketplace.
One security company also called into question Yahoo’s conclusion that the attack was the work of a government-sponsored attack group. Andrew Komarov, chief intelligence officer at InfoArmor, said that the 2014 breach was the work of the same cybercrime outfit that breached LinkedIn and MySpace.
Yahoo declined to comment on InfoArmor’s conclusions.
Komarov said his company had acquired a large sample of data from the 2014 Yahoo breach (he would not say how it was obtained) and checked random records to confirm its authenticity. “It’s an operative source; we never bought the data. And after analysis and verification of the dump, we are confident this is the legitimate dump and no reason to believe it is garbage or from a third party,” Komarov told Threatpost.