A cyber security firm has challenged Yahoo and the FBI’s claim that the hackers who stole the details of about 500 million users were state-sponsored.
Arizona-based InfoArmor issued a report claiming that the breach, the largest in history, was the work of an Eastern European criminal gang.
Names, email addresses, telephone numbers, dates of birth and encrypted passwords were taken in the 2014 attack, according to Yahoo. Credit card data was not stolen.
The FBI said last week it was investigating the alleged breach “by what we believe is a state-sponsored actor” but declined to name the country it believes carried out the attack.
At the time Reuters reported three unnamed US intelligence officials believe the attack was state-sponsored becauseof its similarity to previous hacks linked to Russian intelligence agencies.
InfoArmor, which guards companies against employee identify theft, said the stolen data was sold to at least three clients, including one state-sponsored group.
Andrew Komarov, the firm’s chief intelligence officer, said InfoArmor concluded the hackers were criminals after reviewing a sample of compromised accounts.
Known as ‘Group E’, they have been previously linked to breaches at LinkedIn, Tumblr and MySpace, Komarov said.
“They have never been hired by anyone to hack Yahoo,” Komarov said.
“They were simply looking for well known sites that had many users.”
There have been rumours about such a breach for months while Yahoo was warned that it could have been targeted before Verizon move to buy it for $4.8 billion in August.
That deal, which is yet to go through, could now be in jeopardy.
Many users have expressed anger on social media that Yahoo did not detect the breach and failed to notify them two months ago when concerns were first raised.
In August a hacker known as ‘Peace’ claimed to be selling details from a Yahoo breach – usernames, passwords and dates of birth from 2012 – for three bitcoins (£1,360).