InfoArmor is reporting that the Yahoo! data breach likely contains millions more records than the 500-million figure now being bandied about and the total number of user records that have been stolen by the various groups involved in this and other recent hacks could total 3.5 billion.
The company is also disputing the idea put forth by Yahoo! that the hack was performed by a state actor; instead, the security firm believes a group of Eastern Europeans is responsible. The records involved in this case were taken in 2014.
Andrew Komarov, InfoArmor CEO, told SCMagazine.com that the Yahoo! breach easily surpasses the 500 million mark, judging from a sample of several million of the stolen records his company was able to obtain, but he was reticent to put out an exact figure at this time and berated other firms for issuing numbers before the validation process was completed.
“We need to validate the data leaks and not trust the words from the threat actors,” he said, adding more time is needed to determine the exact number involved.
Komarov said this also holds true when assigning blame for an attack. When news of the breach broke, a state-sponsored group was assumed to be the source. InfoArmor has believed that report stating credit belongs to an Eastern European gang it calls Group E. The only involvement a state-sponsored group has with the attack is that Group E did sell part of the Yahoo! data dump to such an organisation, while two other sales were made to gangs specialising in spam attacks, Komarov said. About US$300,000 (£231,000) was charged for the data in each case.
Because Group E is selling to specific customers it has not posted the Yahoo! database to the web, instead it is being sold in pieces through proxies, InfoArmor wrote.
Michael Lipinski, CISO and chief security strategist at Securonix, told SCMagazine.com in an email that a true determination of credit will be difficult until Yahoo! is more forthcoming with information.
“Unfortunately, we are still speculating since there has been no release of information from Yahoo!," Lipinski said. "Sure it's possible that a state actor with ulterior motives contracted with the folks that already had the formula for breaching Yahoo! from the work done on LinkedIn, DropBox and Myspace. That's a reasonable assumption. Why reinvent the wheel if you don't have to,” he said.
However, Lipinski is more troubled by Yahoo!'s general inaction in responding to the hack.
“The lack of discovery of this breach on Yahoo!'s part gave whoever took this information exactly what they wanted,” he said. "They had the account information that we now know was crackable. If they had ulterior motives, they had years to benefit from that obtained information and lack of notification to users of those accounts. That's my larger concern."
While the 500-million-plus Yahoo! user records is a massive number, InfoArmor believes the total number of records stolen over the last several years is several times that size. When Group E's pile of Yahoo! data is added to those taken from LinkedIn, Myspace, Dropbox, and other big attacks and then combined with all the other attacks that have taken place, the total number of records compromised is likely in the region of 3.5 billion or about the same number of people who are known to use the internet, Komarov noted.
Yahoo! has not yet responded to SCMagazine.com's inquiry for further information.