Yahoo’s one billion account data hacking is turning into a security nightmare with a new report on Bloomberg saying that the personal data of over 150,000 US government and military employees has been breached. According to Bloomberg, the information on government employees was found by Andrew Komarov, who is a cyber-security researcher; he turned over this data to the government, which then alerted Yahoo about the breach.
As the Bloomberg report points out, the leak puts the identity of several government employees at risk and could expose their personal and work accounts. The list of data includes “current and former White House staff, US congressmen and their aides, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the Office of the Director of National Intelligence, and each branch of the US military,” says the report.
For the US government, the Yahoo data breach a serious challenge and threat to the security of these employees, especially those involved in CIA, FBI etc where secrecy is a must. Yahoo has not yet commented on the stolen government employee information.
The report also highlights that Komarov had found the database in August, which is even more worrying because it shows Yahoo itself had no clue on this massive breach. According to Komarov, an Eastern European hacker group has a database of 500 million or more accounts; this was put up for sale and the researcher intercepted it during the sales. In the past Komarov has also concluded that the Yahoo hackers are not a state-sponsored group, something that Yahoo has been insisting.
For Yahoo users the bigger problem posed by this data breach is that many of them don’t even know if and when their accounts were hacked and how much of information has already been stolen. Yahoo today admitted that over one billion accounts were compromised in 2013, and that the hacker also stole their proprietary cookie technology, which would have granted them access to the system and accounts without any need for a password.
Yahoo says it has disabled these forged cookies, but nonetheless the fact remains that users were left clueless regarding a data breach in their account for years. Yahoo’s own SEC filing in November showed that even in 2014, some of its staff was investigating about a possible cyber-attack, but the company never made the information public at that point.