The tech company Yahoo has revealed that an "unauthorized third-party" managed to steal account data for more than a billion of its users. Now, the question on everyone's mind is not merely who, but why?
Unlike other high-profile breaches affecting services such as LinkedIn, MySpace and Ashley Madison, it does not appear that the stolen Yahoo data has been widely shared or publicized online. Rather, the intrusion — which Yahoo says occurred in August 2013 — remained undetected for over three years, until law enforcement brought the matter to Yahoo's attention last month.
It suggests that that whoever stole the company's data may not have been motivated by a quick chance at profit — or, chose to use the data more discreetly — if they were they were after profit at all.
In September, Yahoo announced a separate but related incident in which the account data of 500 million users was also stolen, and attributed the attack to a "state-sponsored actor" — a now-common cybersecurity euphemism for either a foreign government or a group acting on a government's behalf.
But in this newly discovered hack, it's not clear who accessed the massive trove of user information — which included names, email addresses, phone numbers and secured passwords, but not financial data — or how the hacker infiltrated Yahoo's systems.
If this most recent attack is also state-sponsored, says Albert Gidari, the director of Privacy at the Stanford Center for Internet and Society, "it's government espionage that's really at issue."
Gidari says the size of the breach fits the profile of a government actor, which is typically motivated by an interest in collecting "large volumes of data that gets warehoused for future reference."
"Governments collect because they have voracious appetites for data," Gidari explained. "And they don't have storage limitations, and they're not driven by the economics of commercialism when they act on this stuff. So they may find many uses for it down the road."
Government actors aside, the sheer breadth and depth of the stolen data suggests it could have other uses, depending on who has control of the trove.
While some attackers have been known to quickly sell or share the stolen data for others to use, massive datasets of user information can potentially be more valuable to sophisticated or savvy hackers if kept secret long term.
"Depending on who's got it, you might want to, rather than sell it, extract information out of [the accounts], and sell that information, rather than give up the fact that you've got all that information," says Marcus Thomas, who was the FBI's assistant director of operational technology until 2011, and is now the chief technology officer of Subsentio, a provider of legally authorized surveillance services to law enforcement in the U.S.
Bloomberg, for example, reported that the breach included more than 150,000 addresses linked with U.S. government and military personnel, based on an analysis of previously released data of stolen Yahoo email addresses, which have been specifically targeted in the past by independent hacking groups and governments alike.
"It's really a trove for any government to obtain this kind of volume," Gidari said — and if that's the case, "the repercussions from it are not going to be immediately visible."