Sunday, 13 November 2016


The breach was disclosed in September and Yahoo blamed state-sponsored attackers, a claim that was challenged by some experts who instead said a criminal outfit was behind the attack and may have sold some of the data to an Eastern European government.

The SEC filing also contains a confirmation from Yahoo that Verizon’s multibillion-dollar acquisition of Yahoo’s core business could be in jeopardy, and that Verizon could seek to terminate or renegotiate the terms of the sale. Verizon executive vice president Marni Walden said at a Wall Street Journal event 10 days ago that it was still moving forward with the acquisition, but according to the Journal, stopped short of saying that it would not put a halt to the deal if necessary. “What we have to be careful about is what we don’t know,” Walden said. “We’re not going to jump off a cliff blindly so we need to have more information before we can determine, but strategically the deal still makes a lot of sense to us.”

Yahoo said that claims in July from hackers that 200 million account credentials were available for purchase on an underground hacker forum prompted a deeper investigation into the security of its network and a broader look at the 2014 intrusion.

“In addition, the forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the Security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” Yahoo told the SEC. It added that on Monday, law enforcement shared evidence provided by a hacker that is allegedly legitimate Yahoo account information; Yahoo said it is investigating. Yahoo told the SEC that the stolen information included names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted and unencrypted security questions and answers.

Yahoo reaffirmed earlier statements that no payment card data or bank account information was stolen; that information, Yahoo said, was not stored on the systems that were accessed. News of the Yahoo breach surfaced at a time when large-scale password dumps were being disclosed in waves. Most of the Yahoo passwords were hashed using bcrypt, but some were secured with MD5, a long-outdated algorithm that is considered unsafe and has been deprecated in many corners. Security company Venafi said in late September that data collected from its internal certificate reputation service indicates that Yahoo’s cryptographic practices were a mixed bag of outdated hashes and self-signed certificates, none of which are entirely secure. Beyond simply the use of SHA1 and MD5, for example, Venafi said that it found a wildcard certificate with a five-year expiration data, much longer than the standard 12- to 18-month standard.

 It added that 27 percent of certificates on external Yahoo sites were in place since January 2015 and that fewer than 3 percent were issued in the previous 90 days. Weakened certificates have been attacked in the past to redirect traffic or pose as a Yahoo site and steal credentials or intercept traffic. Congress soon interjected and wrote a letter to CEO Marissa Mayer demanding to know why it took Yahoo two years to disclose the attack, expressing dismay that users’ data has been exposed during that period of time. Vermont Senator Patrick Leahy called the situation “unacceptable.” 

The breach, Yahoo told the SEC, has also given birth to 23 class-action lawsuits filed against the company making claims of harm and seeking damages and relief. Yahoo said it has spent $1 million in the third quarter of this year related to its breach investigation, but said the breach did not materially impact its business or cash flow for the quarter. Yahoo also admitted in its filing that it does not have cybersecurity liability insurance.

See more at: Yahoo Tells SEC It Knew About Data Breach in 2014

Sixth Individual Arrested in Connection with, Links to JPMorgan Hack

A Florida man is the latest person to be charged in connection with alleged illegal activities associated with, a now defunct unlicensed bitcoin exchange. Riccardo Hill, a resident of Brandon, Florida was charged with conspiring to operate an unlicensed money transmitting business. He was released Thursday on a $75,000 bond following a court appearance in Manhattan.

Hill, 38, was arrested in October. He is the ninth person to be arrested following the investigation into the JPMorgan data breach that was disclosed in 2014. Prosecutors claim that was owned by Gery Shalon, an Israeli charged with masterminding the hacks that breached JPMorgan and other companies.

Shalon, and Ziv Orenstein (another Israeli) were arrested in Israel in July 2015. They were extradited to the US and pleaded not guilty to a hacking and fraud scheme including but not limited to JPMorgan. Prosecutors said the scheme dated back to 2007 and compromised more than 100 million people's personal information.

A third individual, Joshua Aaron from Florida, is also wanted in connection with these charges. Aaron is believed to have fled to Russia, which he frequently visited. This has led to some suggestions that the actual hacker (rather than the orchestrators) of the JPMorgan hack and others may be Russian. Last month Bloomberg reported that Aaron had been located in Russia, but is no longer welcome there. "The only American suspect named in the largest known hack of Wall Street is negotiating his return to the U.S. from a detention cell in Russia, where he's no longer welcome."

The investigation into the JPMorgan breach led to Sharon, and Sharon led to seems to have been used as a laundering facility for other criminal activities, including the proceeds of ransomware. It is possible that the personal details stolen from the JPMorgan and other hacks helped facilitate some of this illegal activity. was operated by Anthony Murgio, also from Florida. He and four others associated with the bitcoin exchange were arrested around the same time as Shalon. At that time the FBI stated: "Murgio and his co-conspirators knowingly enabled the criminals responsible for those attacks to receive the proceeds of their crimes, yet, in violation of federal anti-money laundering laws, Murgio never filed any suspicious activity reports regarding any of the transactions."

The latest charge against Hill claims that he was employed as a finance support manager and business development consultant for an unlicensed bitcoin exchange, that is, The complaint against Hill claims that he and others profited from numerous bitcoin transactions conducted on behalf of victims of schemes involving ransomware.