The massive hack affecting a billion Yahoo users shows how seemingly innocuous bits of data gleaned from cyber attacks can be exploited for profit — and potentially for espionage and information warfare.
The latest breach disclosed Wednesday is the largest on record and comes just months after Yahoo disclosed a separate breach of data from 500 million users.
On the surface, the trove of data is “a bunch of junk,” says John Dickson at the security consultancy Denim Group.
But he said that the ability to create a searchable database with these tidbits of data such as birth dates and phone numbers makes it enormously valuable to hackers seeking to make a profit, or for industrial or state espionage.
“If you’re trying to research and get information about a target, you’re going to use everything you can find,” said Dickson, a former officer in the Air Force Information Warfare Center.
The Yahoo hack did not collect credit card or social security numbers, leading some analysts to speculate that the goals were not financial.
“For someone using data as a weapon, this is of tremendous value,” said Steve Grobman, chief technical officer at Intel Security.
The disclosure of the breach comes amid intense scrutiny over cybersecurity in the US election campaign and the potential impact of hacked email accounts from people close to Democratic presidential candidate Hillary Clinton.
One of the hacks was a Gmail account of Clinton campaign chairman John Podesta — who, according to media reports, was fooled by a fake email that prompted him to reveal his password.
Security analysts say these kinds of attacks are often preceded by lengthy data-gathering campaigns that might look for personal information such as a birth date or former school or university.
Yahoo said it was not clear who was behind the billion-user hack but that some evidence pointed to “the same state-sponsored actor” believed responsible for the previously disclosed cyber attack.
The security firm InfoArmor said in September its analysis of the first breach indicated “professional” hackers stole the Yahoo data, and only later sold it to a state entity.
InfoArmor said at the time that the breach “opens the door to significant opportunities for cyber espionage and targeted attacks to occur.”
James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a cybersecurity think tank, argues that these hacks can fuel disinformation campaigns, which are a new tool used by governments.
“Espionage and geopolitical manipulation can now be easily achieved through cyber and information warfare from any adversary,” Scott said in a recent blog post.
“Now, at least China, Iran, Russia, and Venezuela have funded political propaganda campaigns that digitally weaponized information by spreading disinformation and polarizing content throughout Western nations.”
Scott noted that the breaches affecting Clinton and the Democratic National Committee were “dangerous because they provide a context-less release of information to the public that breeds distrust and resentment.”
Grobman said an additional concern is that attackers may mix real data with manipulated information to distort facts, creating further confusion and mistrust.
“One of the things we are concerned about is that the public is conditioned to see leaked data as legitimate, and this data can be manipulated,” Grobman said.
Hacking for profit?
Some analysts argue that the hackers’ goals may be more financial than political.
Security researcher Graham Cluley said certain bits of information such as phone numbers could be of value to criminals.
“If a hacker or scammer has your telephone number, they can ring you up and trick you into believing they are an organization you already have a relationship with, which means that you might be tempted to hand over more personal information,” Cluley said in a YouTube posting.
James Lewis, a senior fellow specializing in cybersecurity at the Center for Strategic and International Studies, said new analytics tools can sift through databases for political espionage purposes, but that it is not clear if Russia has those capabilities.
“If you’re a criminal, you would think you could monetize a billion accounts,” Lewis said. “Even if you got a penny or a dime for each, you would still be making a lot of money.”
The attacks also pose a new threat to the future of Yahoo, the former internet star which has seen its fortunes decline and is in the process of selling its main assets to telecom group Verizon.
Dickson that it’s likely that “Verizon is doing a double take” on the $4.8 billion deal.
“If this kills that deal, I think it will increase the focus on cybersecurity hygiene across the board,” he said.