More than 150,000 U.S. government and military employees are among the victims of Yahoo! Inc.’s newly disclosed data breach, and their names, passwords, telephone numbers, security questions, birth dates, and backup e-mail addresses are now in the hands of cybercriminals. It’s a leak that could allow foreign intelligence services to identify employees and hack their personal and work accounts, posing a threat to national security. These employees had given their official government accounts to Yahoo in case they were ever locked out of their e-mail.
The government accounts belong to current and former White House staff, U.S. congressmen and their aides, FBI agents, officials at the National Security Agency, the Central Intelligence Agency, the Office of the Director of National Intelligence, and each branch of the U.S. military. The list includes an FBI division chief and multiple special agents working around the U.S.; current and former diplomats in Pakistan, Syria and South Africa; a network administrator at NSA’s Fort Meade headquarters; the chief of an Air Force intelligence group; and a human resources manager for the CIA.
On Wednesday, Yahoo revealed the second major breach of its systems, following the September disclosure of a widespread hack. The newly announced intrusion, which occurred in 2013, affected more than 1 billion users, and the government employee data is likely part of that cache. The other hack was disclosed earlier but took place later, in 2014, and Yahoo has said it threatened 500 million accounts. “Yahoo has taken steps to secure user accounts and is working closely with law enforcement,” the company said in a statement issued Wednesday.
The information about the government employees comes from a cyber-security researcher, Andrew Komarov, who discovered a stolen database of Yahoo user information involving hundreds of millions of accounts and turned it over to the government, which in turn alerted Yahoo. Bloomberg News reviewed the database and confirmed a sample of the accounts for accuracy. Yahoo declined to comment on the stolen government employee information.
Former intelligence officials said the leak of government worker data could make the job of foreign spies easier, creating an alphabetized hit list of targets for hacking. “We went to great lengths to keep the fact people worked at NSA as low-profile as we possibly could. The last thing we’d want is an alpha list of NSA employees,” said Lonny Anderson, former technology director for the NSA and now executive vice president at security company Federal Data Systems Inc.
Gaining access to personal e-mail accounts, even unofficial ones, can be extraordinarily valuable. Clinton campaign chief John Podesta’s Gmail account was hacked in March, revealing over a decade of private communications and fueling weeks of attacks on Hillary Clinton in the crucial final weeks of the U.S. presidential election. The hack was part of a propaganda campaign that U.S. intelligence officials believe was orchestrated by Russia to influence the election.