(Bloomberg) — More than 150,000 U.S. government and military employees are among the victims of Yahoo! Inc.’s newly disclosed data breach, and their names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses are now in the hands of cybercriminals. It’s a leak that could allow foreign intelligence services to identify employees and hack their personal and work accounts, posing a threat to national security. These employees had given their official government accounts to Yahoo in case they were ever locked out of their e-mail.
The government accounts belong to current and former White House staff, U.S. congressmen and their aides, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the Office of the Director of National Intelligence, and each branch of the U.S. military. The list includes an FBI division chief and multiple special agents working around the U.S.; current and former diplomats in Pakistan, Syria and South Africa; a network administrator at NSA’s Fort Meade headquarters; the chief of an Air Force intelligence group; and a human resources manager for the CIA.
On Wednesday, Yahoo revealed the second major breach of its systems, following the September disclosure of a widespread hack. The newly announced intrusion, which occurred in 2013, affected more than 1 billion users, and the government employee data is likely part of that cache. The other hack was disclosed earlier but took place later, in 2014, and Yahoo has said it threatened 500 million accounts. “Yahoo has taken steps to secure user accounts and is working closely with law enforcement,” the company said in a statement issued Wednesday.
The information about the government employees comes from a cyber-security researcher, Andrew Komarov, who discovered a stolen database of Yahoo user information involving hundreds of millions of accounts and turned it over to the government, which in turn alerted Yahoo. Bloomberg News reviewed the database and confirmed a sample of the accounts for accuracy. Yahoo declined to comment on the stolen government employee information.
Former intelligence officials said the leak of government worker data could make the job of foreign spies easier, creating an alphabetized hit list of targets for hacking. “We went to great lengths to keep the fact people worked at NSA as low-profile as we possibly could. The last thing we’d want is an alpha list of NSA employees,” said Lonny Anderson, former technology director for the NSA and now executive vice president at security company Federal Data Systems Inc.
Gaining access to personal e-mail accounts, even unofficial ones, can be extraordinarily valuable. Clinton campaign chief John Podesta’s Gmail account was hacked in March, revealing over a decade of private communications and fueling weeks of attacks on Hillary Clinton in the crucial final weeks of the U.S. presidential election. The hack was part of a propaganda campaign that U.S. intelligence officials believe was orchestrated by Russia to influence the election.
The newly disclosed Yahoo hack — and revelations about stolen government employee information– could further complicate Yahoo’s attempts to sell its core internet assets to Verizon Communications Inc. for $4.8 billion, a deal that is slated close in the first quarter of 2017. Verizon’s general counsel said in October that Yahoo’s breach would likely have a material impact, meaning Verizon could demand a lower price or back out altogether.
In a statement in response to Wednesday’s hacking revelation, a Verizon spokesman said: “As we’ve said all along, we will evaluate the situation as Yahoo continues its investigation. We will review the impact of this new development before reaching any final conclusions.”
Komarov found the database in August. As the chief intelligence officer for InfoArmor, a cybersecurity firm, it’s his job to prowl the internet’s darkest corners, infiltrate cybercrime rings and help law enforcement and his company’s clients track down stolen data. For the last three years, Komarov had been watching a prolific Eastern European hacker group when he saw them offering up a huge database for sale.
The group Komarov had been surveilling, which he calls Group E, was carefully keeping the sale off of public cybercrime forums. They said they had a database of logins for more than 500 million — perhaps up to 1 billion — Yahoo accounts for sale for $300,000.
Komarov watched the hacker group sell the database three times, and he was able to intercept the database during the sales. Two buyers were large spamming groups that are on the Spamhaus Register of Known Spam Operations, or ROKSO, list. The other had an unusual request before completing the purchase. The buyer gave the sellers a list of ten names of U.S. and foreign government officials and business executives, to verify their logins were part of the database. That led Komarov to speculate the buyer was a foreign intelligence agency.
Nearly two months later, Yahoo announced it was hacked — the first revelation of a breach. The company said that in 2014, data on more than 500 million accounts was taken, including users’ names, e-mail addresses, dates of birth, phone numbers, and security questions and answers. The haul also included passwords, the “vast majority” of which were protected with a powerful encryption method called bcrypt, which makes it very difficult to discern passwords, the company said.
Komarov studied Yahoo’s announcement with interest. The database he had was unlike what the company described: it had different, more minimal encryption and also included users’ backup e-mail addresses. He suspected the company may have been the victim of a second major hack. He alerted law enforcement in the U.S. and U.K. in late October, and about a week later, Yahoo disclosed in a regulatory filing that it was investigating a new claim of a hack. This breach was confirmed on Wednesday.
Komarov said the group selling the database he acquired are professional cybercriminals who sell mostly to spammers, leading him to conclude that a nation was not behind this crime. The hackers are Eastern European and Komarov said based on their communications he suspects they may have never met in person. They are prolific hackers, picking major e-mail providers and social media sites to target based on how much they can sell the logins for. Their operations have netted more than 3.5 billion records from companies including MySpace, Dropbox and VK.com, a popular Russian social networking site.
The leak makes government employees especially susceptible to attacks, said Frank Zou, founder of Sunnyvale, California-based startup HoloNet Security. “They’re easy targets,” he said.
Foreign spies will go down the list “one by one” trying to hack government employees, even if they’re low-level, Zou said. Hackers will look for any footholds into secure systems or sensitive files workers have sent to their personal accounts.
The Yahoo attack is different than other hacks, Komarov said, and poses danger to more than just government employees. “The Yahoo hack makes cyber espionage extremely efficient,” he said. “Personal information and contacts, e-mail messages, objects of interest, calendars and travel plans are key elements for intelligence-gathering in the right hands. The difference of Yahoo hack between any other hack is in that it may really destroy your privacy, and potentially have already destroyed it several years ago without your knowledge.”