Yahoo whodunnit: Mystery surrounds hackers behind massive breach

A cybersecurity company claims it wasn't state-sponsored hackers who breached Yahoo user data. Yah-who knows?

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Yahoo suffered a massive data breach in 2014. But who broke in and took the data?

Getty Images

A week after Yahoo said it was subjected to the worst data breach in history, details about who nabbed info on 500 million email accounts remain sketchy.

At least one firm says it wasn't a "state-sponsored actor" as Yahoo claimed, but like many things related to hacks, cybersecurity and the dark web, even that claim is impossible to verify.

"The group responsible for the Yahoo hack are cybercriminals," said Andrew Komarov, chief intelligence officer at InfoArmor. The company posted a report on Wednesday detailing the involvement of "Group E," a hacking syndicate that InfoArmor says it has been monitoring in dark corners of the internet for some time.

The FBI is currently investigating the data breach but hasn't put forward a theory publicly about who is behind it.

"We take these types of breaches very seriously and will determine how this occurred and who is responsible," the FBI said in a statement.

Komarov said InfoArmor was able to obtain "a pretty large sample of the database" of stolen email addresses, encrypted passwords and other personal information. With the permission of people whose information was caught up in the hack, the company checked the database and found it corresponded with real Yahoo accounts from 2014.

The Wall Street Journal sent 10 Yahoo mail addresses to the researchers and reported that InfoArmor was able to respond with the correct user information on all 10 of them, cracking the passwords for eight of the accounts.

Yahoo did not respond to a request for comment on the InfoArmor report.

Still, the InfoArmor report is impossible to verify by a third party, said Damon McCoy, a New York University computer science professor who focuses on cybersecurity.

The claim that the database was stolen by commercially motivated hackers and not a foreign government's spies is based on information gathered by "operative sources" whom the company could not reveal, Komarov said. In other words, secret contacts in the cybercriminal underground gave them the information.

McCoy said the definition of a state-sponsored actor can get muddled in the real world of hacking. Maybe a government agency pays a contractor to hack for it, or maybe a government hacker freelances as a cybercriminal in his free time.

"What is a state actor and how do you know when you're dealing with a state actor versus a non-state actor? It all seems to get murky and gray," McCoy said.