CBSN

Law enforcement says Yahoo account hacks were likely sponsored by foreign government

A Yahoo mail account seen on a smart phone. 

CBS News

SAN FRANCISCO -- A U.S. official briefed on the Yahoo hack tells CBS News that law enforcement agrees with the company in saying the hacks were a state actor. 

The state actor is believed to be tied to Russia. 

Yahoo revealed on Wednesday that information was stolen from more than 1 billion user accounts in 2013 after disclosing a separate hack in 2014 of some 500 million accounts in September. 

In a statement, Yahoo said they believe “some of this activity to the same state-sponsored actor” responsible for the September hack.    

Yahoo shares slid Thursday on worries that Verizon will walk away or slash its $4.8 billion offer for the company’s digital operations after the massive data breach. 

Verizon had said it would reevaluate the Yahoo deal after the first hack, and said the same Wednesday after the latest revelation. Verizon spokesman Bob Varettoni on Thursday declined to comment beyond the company’s Wednesday-night statement. Yahoo did not immediately respond to a request for comment.

The deal was expected to close by March 2017.

If the hacks drive Yahoo’s users away, the company wouldn’t be as valuable to the telecom giant in its quest to build a digital-ad business that could rival industry giants Google and Facebook.

Yahoo has said that the September announcement of the 2014 hack didn’t hurt traffic to its services. 

Yahoo shares fell 4.7 percent, or $1.91, to $39 in afternoon trading. Verizon shares rose 40 cents, or less than 1 percent, to $52.03.

The digital heist disclosed Wednesday occurred in August 2013.

Yahoo previously disclosed that its outside forensic experts were investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, the company believes an unauthorized third party accessed the company’s proprietary code to learn how to forge cookies,” the statement reads. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. Yahoo is notifying the affected account holders, and has invalidated the forged cookies.”       

“It’s shocking,” security expert Avivah Litan of Gartner Inc. 

Two hacks, more than 1 billion accounts 

Yahoo didn’t say if it believes the same hacker might have pulled off two separate attacks. The Sunnyvale, California, company blamed the late 2014 attack on a hacker affiliated with an unidentified foreign government, but said it hasn’t been able to identify the source behind the 2013 intrusion. 

Yahoo has more than a billion monthly active users, although some have multiple accounts and others have none at all. An unknown number of accounts were affected by both hacks. 

In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected. 

But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases. 

That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password and questions since September.) 

Security experts said the 2013 attack was likely the work of a foreign government fishing for information about specific people. One big tell: It doesn’t appear that much personal data from Yahoo accounts has been posted for sale online, meaning the hack probably wasn’t the work of ordinary criminals. 

That means most Yahoo users probably don’t have anything to worry about, said J.J. Thompson, CEO of Rook Security.

Questions for Verizon

News of the additional hack further jeopardizes Yahoo’s plans to fall into Verizon’s arms. If the hacks cause a user backlash against Yahoo, the company’s services wouldn’t be as valuable to Verizon, raising the possibility that the sale price might be re-negotiated or the deal may be called off. The telecom giant wants Yahoo and its many users to help it build a digital ad business. 

After the news of the first hack broke, Verizon said it would re-evaluate its Yahoo deal and in a Wednesday statement said it will review the “new development before reaching any final conclusions.” Spokesman Bob Varettoni declined to answer further questions. 

At the very least, the security lapses “definitely will help Verizon in its negotiations to lower the price,” Litan predicted. Yahoo has argued that news of the 2014 hack didn’t negatively affect traffic to its services, strengthening its contention that the Verizon deal should be completed under the original terms. 

“This just adds to fuel to the fire and it won’t help Yahoo’s cause,” said Eric Jackson, a longtime critic of the company’s management. Although he has in the past, Jackson doesn’t currently own Yahoo stock. 

Investors appeared worried about the Verizon deal. Yahoo’s shares fell 96 cents, or 2 percent, to $39.95 after the disclosure of the latest hack.