Anonymous sources have claimed that the 'state actor' responsible for Yahoo's recent massive data breach may have been the US, claiming government agents were responsible for at least one backdoor in the company's email infrastructure.
Yahoo
announced last month that it had been hit by a data breach disclosing information on some 500 million customers, claiming that a '
state-sponsored' attacker was responsible. While many assumed said 'state' to be Russia or China, sources have come forward to claim that the US may have been behind the breach - or, at least, had backdoor access into Yahoo's email infrastructure at a level of which even the company's chief information security officer was unaware.
Speaking to
Reuters, anonymous sources claiming to be former Yahoo employees have come forward to state that US intelligence officials installed a real-time information tap into Yahoo's email infrastructure, designed to alert the agency responsible for any emails matching a search string. This installation was officially sanctioned by Yahoo chief executive Marissa Mayer, the sources further claim, who granted the agency's request but did not see fit to inform chief information security officer Alex Stamos.
Stamos' security team discovered the backdoor, but initially believed it to be the work of outside attackers. When Mayer's authorisation was discovered, the sources claim, Stamos resigned and told the company's security division that the poorly-implemented data siphon could have provided anyone - including unauthorised attackers - with full access to the stored emails.
Yahoo has not issued comment on the claims in Reuters' story, beyond a one-sentence statement that it is '
a law abiding company and complies with the laws of the United States.' Its rivals, meanwhile, have been falling over themselves to take advantage of the PR opportunity with Apple, Google, and Microsoft all issuing statements that they would refuse similar requests for real-time information taps on their email infrastructures.
UPDATE 20161006:
Yahoo has issued a slightly more verbose statement describing Reuters' report as '
misleading,' and claiming that '
the mail scanning described in the article does not exist on our systems.' The statement does not, however, deny that the mail scanning described in the article
ever existed on Yahoo's system, nor does it deny the sources' claimed reasoning for chief information security officer Alex Stamos' departure from the company.
Want to comment? Please log in.