ktsdesign - Fotolia
Security researchers saw data from more than 1 billion Yahoo accounts sold to multiple threat groups on the deep web, but the method of breach reporting meant Yahoo didn't learn about the incident for months.
InfoArmor, a cybersecurity firm based in Scottsdale, Ariz., first reported the sale of the data on Sept. 28, about one week after Yahoo disclosed the 2014 breach which affected 500 million user accounts. InfoArmor's original report said the data from the Yahoo breach was sold to three separate groups on the deep web in August.
Andrew Komarov, chief intelligence officer at InfoArmor, said each buyer paid approximately $300,000 for the data and while two of the buyers were spam groups, one may have had espionage intentions for the several million accounts in the database with connections to military and government officials from dozens of nations.
Because InfoArmor's report came soon after Yahoo's disclosure it was assumed the data sold was from the 2014 Yahoo breach, but that assumption turned out to be incorrect. The data was actually from a previously unknown Yahoo breach that occurred in 2013 in which account data for 1 billion users was stolen.
InfoArmor published this information three months before Yahoo's official disclosure of the 2013 breach, and Komarov admitted that InfoArmor never directly contacted Yahoo with the data it had.
"This year in August we have acquired some parts of the database and after some time the whole thing exfiltrated from the bad actor's site," Komarov told SearchSecurity. "Sept. 28, we released our report and in September we sent some parts of the information to law enforcement, at that time in a limited form because we were also working on analysis. And during October/November, we have sent pretty big parts to them as well so it was not like in one day."
Komarov said it wasn't until November, after law enforcement had analyzed the data, that the law enforcement agencies sent it to Yahoo and "Yahoo confirmed that the hashes were MD5," which meant the data was not from the 2014 Yahoo breach and was from an unknown incident.
InfoArmor could not clarify the timeline regarding exactly when the data was shared with law enforcement or when it became clear this data was from a separate breach, but Komarov contended there was evidence that should have tipped off Yahoo in InfoArmor's original report.
Komarov said the InfoArmor report was published two months before Yahoo's official statement and described the passwords as "hashed with MD5" but there was a "conflict with the Yahoo statement." "[Yahoo] claimed that all the information from so-called incidents from 2014 should be bcrypt but we've never seen such data," Komarov said. "So the data set we have, which has direct correlation to this 1 billion breach from 2013, it has only MD5 hashes -- very easily crackable."
According to a statement provided to SearchSecurity by Yahoo, the only data it received that it could attribute to InfoArmor came from Bloomberg.
"The limited InfoArmor data set provided to Yahoo (by Bloomberg), based on initial analysis, could be associated with the data files provided to the company by law enforcement," Yahoo said. "That said, if InfoArmor has a report or more information, Yahoo would want to assess that before further comment."
John Wagster, an attorney specializing in cybersecurity issues at Frost Brown Todd LLC, said "in the absence of a contractual obligation with somebody" any reporting done by InfoArmor "is just out of the goodness of their heart."
"They have no contractual duty that I'm aware of, to Yahoo or anyone else. The responsible thing for them to do is what they did: Turn it over to law enforcement and then let law enforcement look at it and if law enforcement can make the determination, if they have the technical capabilities, that in fact it is Yahoo data then they can turn it over to Yahoo or they can call and make a suggestion to Yahoo that there may have been a hack," Wagster told SearchSecurity. "This is pretty common in breaches of all kinds. Often the first time a company finds out about it is when they're contacted by law enforcement of some sort."
Komarov said working only with law enforcement was intended to make the process easier and "more comfortable" for those involved.
"We had some concerns and based on our experience -- we work with many different companies having data breaches -- ... sometimes they prefer not to disclose it or to not explain the real reasons for the incidents. So that's why we decided to go directly to law enforcement," Komarov said. "We used them as a channel for independent check of Yahoo data just to avoid any commercial interests or any misunderstanding as we're both private companies. That was the key reason for that."
Responsible breach disclosure
John Bambenek, threat systems manager at Fidelis Cybersecurity, said he could understand the concern of InfoArmor considering the company "appears to sell services involving proactively looking for breaches and threats to members of an organization."
"It's a new area so ethical norms are still developing. Having a conversation with a company about data your service intercepted where such information flow would be part of a commercial offering can get weird. When I have come across stolen data, my personal first approach is to bring it to law enforcement and a trusted contact at the victim organization if I have one. Involving law enforcement upfront helps mitigate some of the ethical issues that can occur," Bambenek told SearchSecurity via email. "That being said, if InfoArmor made no attempt to contact Yahoo or law enforcement for two months (assuming the facts of the reporting are correct), I find that problematic. Many of us do intelligence work for commercial entities, but we must always be mindful that we do have a role in protecting the public. It's hard to see how holding on to that information serves the goal of protecting the public."
However, Wagster said InfoArmor could have opened itself up to liability issues if it said too much publicly or said something that was wrong.
"If they make statements about it that are wrong or they turn it over to a security monitor site, somebody who looks at hacks like this -- Krebs on Security, or something like that -- absolutely Krebs is going to turn around and run an article on it. And, if they're wrong, they could be opening themselves up to liability from Yahoo for making a statement that's defamatory, saying Yahoo can't protect its data," Wagster said. "All they know is what they see and they see data being sold. It could be a resale of data. In some blog posts I saw, people were claiming to have the data but didn't; they were mixing it with data from other breaches. It appeared to me that InfoArmor's stance was, 'This is what we see,' which I think is entirely appropriate."
Other experts noted there are specific protocols when it comes to responsible disclosure of security vulnerabilities and although the same does not apply to disclosing security breaches, in the case of a breach when personal data is compromised, it is best to notify the affected company as soon as possible.
Alexander Polyakov, CTO and co-founder of ERPScan, said standards around responsible breach disclosure need to be discussed because "there can hardly be a universal answer."
"Responsible vulnerability disclosure rules are mostly not disputed -- white-hat researchers don't publish details in the wild and leave a period of time for the vulnerability to be patched. Responsible breach disclosures are way more complicated. When a victim company discloses the incident, it may cause panic and worsen a situation," Polyakov told SearchSecurity. "On the other hand, the company shouldn't delay the alert if personal data is compromised. In case the fact of a data breach was known to a third party, it seems responsible to notify the victim confidentially."
Ben Bernstein, CEO at Twistlock, said it's clear there was some confusion between the two breaches, "which likely led to the fuzziness in dates."
"To add to that confusion, there is no best practice around how to go about disclosing knowledge about breached data being traded across the dark web," Bernstein told SearchSecurity. "The default white-hat thing to do is to disclose the information immediately, and if that didn't happen, it's easy to see why Yahoo would feel they were treated unfairly. But until the infosec community creates a clear process, we'll continue to witness similar situations and issues."
Rebecca Herold, CEO of The Privacy Professor, said regardless of the law or traditional breach reporting methods, "the ethical, and decent, thing to do would have been to let Yahoo know as soon as they discovered the additional breach."
"There are a lot of things that laws do not compel, and many more things that laws do not restrict, but organizations should think about the overall privacy impacts and harms that could occur and take appropriate actions, as a good digital citizen, where appropriate, even when they are not forced to by law. Their inactions could actually make privacy harms much worse than if they had notified Yahoo right away."
Learn more about cybersecurity breach reporting doubling in one year.
Find out how a Java vulnerability report strained responsible disclosure.
Get info on the Homeland Security chief calling for a federal breach reporting law.