Cybersecurity Executive Admits Yahoo May Never Identify Hackers

Yahoo revealed the company will likely never track down the identity of the hackers who accessed over a billion user email accounts in 2013, the largest the data breach in history.

At TechCrunch Disrupt Monday, Bob Lord, the company’s Chief Information Security Officer, said his team had “turned over as many rocks as they could find” to no avail.

It was the second of the two largest data breaches in history that the company revealed in 2016. A staggering 500 million user accounts were compromised beginning in late 2014, but the breach was only discovered in July last year. The 2014 hack has been attributed to Russian intelligence officers and hackers they recruited, according to a Department of Justice indictment made in March.

When the Yahoo team discovered the second breach, which it believes is separate from the state-sponsored hack discovered in July, Lord says “people were battle weary at that point.” The company was forced to publicly disclose the breach in December while it was negotiating an acquisition deal with Verizon.

The combination of breaches slashed $350 million off the price for Yahoo, but the deal still went through. The CISO says Verizon’s security team was understanding about the hacks. “If you’ve been in the business for enough years you’ve had a few skirmishes,” he explained.

When pressed by the Disrupt moderator if he could confirm there were no intruders in the Yahoo system at the moment, Lord answered, “it’s hard to prove a negative.” The CISO went on to say that there’s no way cybercriminals could get into their system in a similar way—but stopped short of revealing how the original hack could have happened.

Aside from the number of user accounts compromised, the data breaches were remarkable given the level of access and control the intruders had. One hacker able to redirect searches for “erectile dysfunction medications” on the Yahoo search engine to an online pharmacy, which paid the hacker a bounty.