by Alexis Corn

Yahoo’s confirmation that a state-sponsored actor stole information from at least 500 million user accounts in 2014 marks the largest breach in known history. The multinational technology company and email provider announced on Tumblr that hackers stole names, email addresses, phone numbers, birth dates, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.

Yet questions still remain. Yahoo has neither identified the specific country that orchestrated the hack nor provided the method used to steal the data. In another statement, Bob Lord, Yahoo’s chief information security official, only wrote,

So how do we know if an attack is state-sponsored? In order to prevent the actors from learning our detection methods, we do not share any details publicly about these attacks.

The lack of detail surrounding the hack has raised a few eyebrows. Some have argued that Yahoo may have used state-sponsored hackers as a way to assuage the blowback.

“If I want to cover my rear end and make it seem like I have plausible deniability, I would say ‘nation-state actor’ in a heartbeat,” said Chase Cunningham, director of cyber operations at security provider A10 Networks.

….

“This just doesn’t reek of nation-state activity,” he said. “Nation-states are after intellectual property. They don’t give a damn about emails and passwords from a Yahoo account.”

If Yahoo’s state-sponsored actor claim is incorrect and these cybercriminals operated independently, users’ credential information are undoubtedly part of the illicit trade network embedded in the dark web. In an interview for Wired, Peace, a hacker who has also sold user credentials from LinkedIn, Myspace and Twitter as well as from Yahoo, described that before publically publishing LinkedIn and Twitter data, he/she initially sold it privately for spamming or hacking specific targets. Peace revealed that he publicly made $15,000 from selling 2012 LinkedIn data and roughly $18,000 from 2013 Myspace data. In August, Peace sold 200 million Yahoo user credentials (which Yahoo claims are unrelated to this 2014 hack) for three bitcoins or $1,860.

Despite Yahoo’s claim that hackers did not obtain unprotected passwords for financial information, users nevertheless face the threat of individuals accessing their financial information. Hackers can use a technique called “credential stuffing” which plugs username and password combinations into various websites in the hope of finding a match. Credit stuffing has a 0.1 to 2 percent success rate, but with 500 million passwords, cybercriminals can potentially unlock and take over thousands of accounts.

But let’s consider that Yahoo’s claim is true and that the perpetrator worked at the behest of a state. A country could potentially allow a hacker or hackers to engage in cybercrime as a way to unsettle consumer confidence and skew consumer preferences. Just as Malaysia Flight 370 made people less willing to fly on the airline and hacks of U.S. voter registration databases eroded confidence that election results will be accurate, this hack may deter people from registering for new or maintaining existing Yahoo email accounts. This may change individuals’ preferences on a massive scale and should be a concern for us all.

Alexis Corn is a Mount Holyoke College alumna with a degree in international relations. She is currently staff assistant at a Washington, D.C.-based federal government relations firm.