Some time around August 2013, hackers penetrated the email system of Yahoo, one of the world’s largest and oldest providers of free email services.
The attackers quietly scooped up the records of more than 1 billion users, including names, birth dates, phone numbers and passwords that were encrypted with an easily broken form of security.
The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world: Several million of the backup addresses belonged to military and civilian government employees from dozens of nations, including more than 150,000 Americans.
No one knows what happened to the data during the next three years. But last August, a geographically dispersed hacking collective based in Eastern Europe quietly began offering the whole database for sale, according to Andrew Komarov, chief intelligence officer at InfoArmor, an Arizona cybersecurity firm, who monitors the dark corners of the internet inhabited by criminals, spies and spammers. Three buyers — two known spammers and an entity that appeared more interested in espionage — paid about $300,000 each for a complete copy of the database, he said.
The attack, which Yahoo disclosed on Wednesday, is the largest known data breach of a company. And neither Yahoo nor the public had any idea it had occurred until a month ago, when law enforcement authorities came to the company with samples of the hacked data from an undisclosed source.
Yahoo still does not know who broke into its systems in 2013, how they got in or what they did with the data, the company said Wednesday. It has made more progress tracking down a separate hacking episode in 2014, which compromised 500 million email accounts and was disclosed in September. The company has said it believes the 2014 attack was sponsored by a government entity but has not identified it.
The two huge breaches revealed this fall threaten to erode consumer confidence in the company and are endangering its deal to sell its internet businesses to Verizon Communications for $4.8 billion. On Thursday, Yahoo’s stock plunged 6 percent as investors worried that Verizon would abandon the purchase.
Mr. Komarov said in an interview on Thursday that his company obtained a copy of the database and over the last few months alerted military and law enforcement authorities in the United States, Australia, Canada, Britain and the European Union about the breach. After those parties verified the authenticity of the stolen records, he said, some of them went to Yahoo with their concerns.
InfoArmor did not go to Yahoo directly, Mr. Komarov said, because the internet giant was dismissive of the security firm when approached by an intermediary. He also said he did not trust Yahoo to thoroughly investigate the breach since it could threaten the sale to Verizon.
Mr. Komarov worked in counterterrorism before joining Group-IB, a Moscow security firm. In 2013, he and a colleague left to form IntelCrawler, which drew attention for its work tracking the Syrian Electronic Army and the young hacker behind a large breach of the retailer Target’s systems. IntelCrawler was acquired by InfoArmor in 2015.
Yahoo said Thursday that it could not verify Mr. Komarov’s claims, which were made public on Wednesday. “The limited InfoArmor data set provided to us, based on initial analysis, could be associated with the data file provided to us by law enforcement,” the company said in a statement. “That said, if InfoArmor has a report or more information, Yahoo would want to assess that before further comment.”
The Federal Bureau of Investigation said in a statement that it was investigating the Yahoo breach. Attorney General Eric T. Schneiderman of New York also said his office was in touch with Yahoo to examine the circumstances of the data breach.
Verizon has said that it is weighing its options, which range from demanding a price cut to walking away altogether. Yahoo may still prove attractive, given the sheer size of its user base. But a huge defection of users would drastically lessen its value to Verizon.
The question will be whether the telecom giant can be shielded from potential legal liability. Verizon already has an army of lawyers from heavyweight firms like Wachtell, Lipton, Rosen & Katz advising it on the deal.
If Verizon tried to walk away, the company could still find itself ensnared in a long legal battle. Efforts by companies to wiggle out of deals — usually by exercising escape hatches in transaction contracts — have often failed.
Security experts and former government officials warned that the real danger of the Yahoo attack was not that hackers gained access to Yahoo users’ email accounts, but that they obtained the credentials to hunt down more lucrative information about their targets wherever it resided across the web.
“This wasn’t an attack against Yahoo, but rather reconnaissance to launch other campaigns,” said Oren Falkowitz, a former analyst at the National Security Agency who now runs Area 1, a Silicon Valley security start-up.
“Inactive or not, a billion user accounts and hashes means attackers have a golden key for new phishing attacks,” he said. In a phishing attack, a hacker often poses as a trusted contact and tries to induce the recipient of an email to click on a malicious link or share sensitive information.
Users routinely ignore advice to use different passwords for their different accounts across the web, which means a stolen Yahoo user name and password could open the door to more sensitive information in online-banking, corporate or government email accounts.
Mr. Komarov said the group that hacked Yahoo in 2013, which he calls Group E, appeared to be motivated by money, not politics. It is believed to have broken into the systems of major American internet companies like LinkedIn, Myspace, Dropbox and Tumblr, as well as foreign-owned services like VKontakte, a Russian social network similar to Facebook.
Group E sometimes sells complete copies of the data, Mr. Komarov said. It also combines information from different hacking forays into a master database. Like a corporate marketer, it peddles chunks of the data to spammers seeking to reach specific audiences, like middle-aged women who live in certain ZIP codes. It sometimes operates through intermediaries.
Hold Security, another firm that monitors the so-called dark web, said that as recently as the end of October, hackers were actively trying to sell the stolen Yahoo data for as much as $200,000.
At the time, the sellers told Hold Security employees that they had been given access to a live Yahoo database through what they claimed was an intermediary at “Department K,” a part of the Russian Interior Ministry that combats high-tech crimes. But when Hold Security employees pressed the sellers for samples of the live data, they were instead given screenshots of a stale Yahoo database from 2013, said Alex Holden, the chief executive of Hold Security.
That database of 1 billion Yahoo accounts, Mr. Komarov said, is still for sale, although current bids are coming in at $20,000 to $50,000 since the data is much less valuable now that Yahoo has changed the passwords. “There is now huge interest in Yahoo’s database,” he said. “We know that there will be some new deals.”