Thousands of Australian Government officials, including high-profile politicians and senior Defence officials, are among the 1 billion victims of the massive Yahoo data breach, according a secret dataset obtained recently by the ABC.
Data provided by US security company InfoArmor, which alerted the Department of Defence of the massive data breach last October, reveal more than 3,000 log-in credentials for private Yahoo services were linked to Australian Government email accounts.
InfoArmor, an Arizona-based cybersecurity firm which investigates data theft for law enforcement agencies, said the data was stolen from Yahoo in 2013 by a hacker organisation from Eastern Europe.
It said the hacker group then sold the Yahoo accounts to cyber criminals and a suspected foreign intelligence agency for $US300,000 each.
Yahoo revealed late last year that it believed hackers had stolen data from more than 1 billion user accounts in August 2013, in what is thought to be the largest data breach at an email provider.
A Department of Defence spokesperson confirmed key events to the ABC, including:
- Defence was notified of the breach last October via an intermediary from NSW Police, two months before Yahoo announced the data breach to the public
- It then notified its own affected employees of the breach
It remains unclear whether affected staff from other Commonwealth agencies have also been notified by their departments.
The stolen database contains email addresses, passwords, recovery accounts, and other personal identifying data belonging to a startling array of senior Australian officials.
Among those affected include Social Services Minister Christian Porter, shadow treasurer Chris Bowen, Victorian Premier Daniel Andrews, Liberal MP Andrew Hastie, opposition health spokesperson Catherine King and Liberal senator Cory Bernardi.
It is unclear how many of the accounts are still active.
The ABC was able to identify officials in the dataset because they had used their government emails as backups if they forgot their passwords.
Last week, the ABC approached each of these affected politicians’ offices, as well as some public servants, seeking confirmation of the authenticity of these log-in credentials. Most declined to do so.
The compromised accounts do not exclusively relate to clients of Yahoo’s email service, but also Yahoo-affiliated web services such as the microblogging site Tumblr and the photo sharing site Flickr.
A spokeswoman for Mr Porter said “as far as the Minister is aware he has never used a Flickr account”.
A spokesperson for Senator Bernardi said “to the best of his knowledge, [senator Bernardi] doesn’t have a Yahoo account.”
One advisor told the ABC it was possible some accounts linked to politicians were set up by former staffers.
Others who did respond confirmed the log-in credentials are accurate.
Accounts linked to police, judges also compromised
Other government officials compromised include those carrying out sensitive roles such as high-ranking AFP officers, AusTrac money laundering analysts, judges and magistrates, political advisors, and even an employee of the Australian Privacy Commissioner.
Alastair MacGibbon, the Prime Minister’s Cyber Security Special Advisor, described the size of the Yahoo breach as breathtaking.
“It’s really what’s inside those accounts that matters,” Mr MacGibbon added.
“If there are compromising activities inside those accounts — again, whether I work for a corporate or government it doesn’t really matter — criminals may exploit that. Criminals may exploit me recycling a password.”
Mr MacGibbon said the magnitude of the breach made it hard to determine precisely how many of the affected Australian accounts were currently active.
The ABC understands the Yahoo account belonging to Mr Andrews has not been used by him in years.
The revelations come shortly after a Gmail account belonging to Hillary Clinton’s campaign chairman, John Podesta, was compromised and its contents leaked at a critical juncture during the US election.
Some Democrats say the Podesta email leaks contributed to Mrs Clinton’s loss by exposing years of his private communication to the world. The Podesta saga demonstrated just how damaging a single compromised private email account could be.
Risk email details could be used against victims
Professor Richard Buckland from the Australian Centre for Cyber Security said there could be serious embarrassment awaiting Australian officials from this Yahoo breach.
“There’s potentially information in there that is blackmail-able,” he said.
“Perhaps records of transactions of purchases, or discussions or things they’ve done. Private conversations that they didn’t want to do on a government server. Perhaps they’ve engaged in some sort of shady activity. Or just expenses for politicians, for example, that they might have tried to keep out of official channels.
“Blackmail information is very valuable to other governments for nudging or persuading people to do things.”
Another challenge facing the Government is how to deal with compromised private accounts belonging to some Australian diplomats and special defence personnel posted overseas. Many of the officials featured in the dataset are employed in roles with security clearances that are intended to be low-profile.
“If I was in a position where my relationship with the government wasn’t to be known by others, then absolutely you shouldn’t be linking a government account to your personal accounts,” Mr MacGibbon said.
Hackers have had years to exploit data
A further problem is the protracted period between the Yahoo data breach itself, which dates back to March 2013, to the eventual public confirmation of Yahoo, over three years later.
Andrew Komarov, InfoArmor’s chief intelligence officer, said malicious hackers would have had literally years to exploit the users’ data.
“The bad actors had enough time to compromise any records they wanted as it’s a pretty significant time frame,” Mr Komarov said.
“That’s why today is pretty hard to figure out what exactly happened and how many employees in government could be compromised.”
According to InfoArmor, the hacker group responsible are an Eastern European cyber-criminal organisation motivated by profit, rather than a state-sponsored entity.
“This group has no presence on any forums or marketplaces. In the past they used two proxies: one for the Russian-speaking underground and another one for the English-speaking,” Mr Komarov said.
“They sell their data indirectly using some trusted channels, contacts and proxies. Not through any marketplaces or forums because of their security measures. They don’t need it.
“They have pretty serious contacts in the underground and some trusted rounds of various cybercriminals with whom they work.”