U.S. official blames Russia for Yahoo hack, security experts blame Yahoo’s negligence

Who hacked Yahoo? One report says Russia is being blamed. But a new lawsuit and a range of security experts say Yahoo itself is to blame in a big way.
(Glen Scott / Flickr)

An unnamed American official is pointing to Russian responsibility for the recently revealed hack on Yahoo that exposed data from more than 1 billion accounts. The official blamed a “‘state actor’ believed to be tied to Russia,” CBS News reported. No evidence or further explanation was offered about how the attribution was made.

The massive three-year-old breach is being described as a disaster impacting the entire internet.

The latest U.S. government finger-pointing toward Moscow comes as the U.S. intelligence community and political establishment debate the role Russia and its President Vladimir Putin played in influencing the 2016 American election with cyberattacks. President Barack Obama recently ordered a full intelligence community review of foreign efforts to influence recent presidential elections, a process Director of National Intelligence James Clapper is currently leading.

Coming just months after a separate hack exposed 500 million accounts, the latest news is bringing on a torrent criticism from security experts who are pointing to huge problems in how sensitive data including passwords were stored and catastrophic organizational clashes that had already has led to high profile departures of Yahoo security executives. Alex Stamos, Yahoo’s former chief information security officer, resigned after reportedly being being ordered to build a backdoor for the U.S. government.


Less than a day after the hack was announced, Yahoo is already a target of a class action lawsuit.

“Yahoo failed, and continues to fail, to provide adequate protection of its users’ personal and confidential information,’’ New York consumer Amy Vail said in the complaint filed on Thursday. “Yahoo users’ personal and private information has been repeatedly compromised and remains vulnerable.’’

Security experts agree.

“They’re not taking security seriously enough,” former Yahoo information security officer Jeremiah Grossman told CyberScoop. “Without a mandate from executives, they’re not going to make up much ground.”

But the future of security at Yahoo is, like everything else at the company, in flux. News of the two big breaches are undercutting a potential sale to Verizon to the tune of a potential billion-dollar discount on the sale, originally slated for around $6.4 billion. Leadership at Yahoo will likely change but there’s no telling what group will ultimately lead Yahoo.


With that kind of uncertainty, any mandate of support from executives could be out the window in a matter of months. Still, Grossman sees potential opportunity for anyone who joins Yahoo’s security team right now.

“If you’re at Yahoo right now and you have to do incident response, there are very few things that can benefit you skill wise to that degree,” Grossman said. “How often do you get the opportunity to investigate a huge breach at a major corporation? It will make recruiting difficult. Not everyone will want to go into a live fire zone but particular individuals can make a huge impact.”

But even with the opportunity disaster affords them, security professionals would be stepping into a cratered landscape.

Breaches happen to everyone, Grossman explained. But cookie forgery — and with it the ability to impersonate anyone so “they had the keys to the kingdom” — went undetected for three years, a product of longterm negligence, he said.

It’s not clear whether we’ll ever see on-the-record blame by Washington toward Russia for this attack. Even if we do, U.S. intelligence is currently debating how much evidence of recent breaches can be unclassified due to the risk posed to human intelligence sources abroad.


“Having some of this evidence declassified, I think we need to be really careful because we’re talking about people’s lives. Whatever we decide, whatever we declassify, Russian intelligence will be studying it very closely,” Rep. Will Hurd, R-Texas, said this week.

Patrick Howell O'Neill

Written by Patrick Howell O'Neill

Patrick Howell O’Neill is a cybersecurity reporter for CyberScoop based in San Francisco.

Latest Podcasts