SAN FRANCISCO — Some time around August 2013, hackers penetrated the email system of Yahoo, one of the world’s largest and oldest providers of free email services. The attackers quietly scooped up the records of more than 1 billion users, including names, birth dates, phone numbers and passwords that were encrypted with an easily broken form of security.
The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world: Several million of the backup addresses belonged to military and civilian government employees from dozens of nations, including more than 150,000 Americans.
No one knows what happened to the data during the next three years. But last August, a geographically dispersed hacking collective based in Eastern Europe quietly began offering the whole database for sale, according to Andrew Komarov, chief intelligence officer at InfoArmor, an Arizona cybersecurity firm, who monitors the dark corners of the internet inhabited by criminals, spies and spammers. Three buyers — two known spammers and an entity that appeared more interested in espionage — paid about $300,000 each for a complete copy of the database, he said.
The attack, which Yahoo disclosed on Wednesday, is the largest known data breach of a company. And neither Yahoo nor the public had any idea it had occurred until a month ago, when law enforcement authorities came to the company with samples of the hacked data from an undisclosed source.