A cybersecurity firm is telling two very different stories of the Yahoo hack to news organizations

Brian Ach/Getty Images

A cybersecurity firm that analyzed the Yahoo data breach affecting at least 500 million user accounts has told competing news organizations two very different stories of who actually carried out the hack.

In an analysis posted on its website, InfoArmor says "tessa88" — an anonymous but prominent figure in underground forums who sells stolen databases — was the first to mention Yahoo credentials for sale in Feb. 2016. The firm said that tessa88 and another dark web broker called "Peace of Mind" were not the hackers, but acted as proxies for those who carried out the attack.

The hacker group "used these two guys to broker that data out," Bryon Rashed, senior director of marketing at InfoArmor, said in a phone interview. 

The post itself did not actually say much about the hacker group behind the theft, except to say they were "professional blackhats who were hired to compromise" different organizations, to include Yahoo.

InfoArmor Chief Intelligence Officer Andrew Komarov "said that a state-sponsored actor from Eastern Europe commissioned and later paid the hacker collective $300,000 for the Yahoo data trove. He said he didn't know if the hacks of the other social media companies were also commissioned by a state-sponsored actor, but believed it was likely," wrote NBC News, in an article published Wednesday morning.

Then, just a few hours later, Komarov was quoted in the Wall Street Journal seemingly disputing his own assertion:

“We don’t see any reason to say that it’s state sponsored. Their clients are state sponsored, but not the actual hackers.”

The competing narratives add to the confusion surrounding the Yahoo hack, which resulted in the theft of at least 500 million user accounts by what the company said was a "state-sponsored" actor. 

It is possible that Komarov was trying to make a distinction between the alleged criminal hackers who were being paid by a government client, though a hacker group being paid by a state would rightly be considered "state-sponsored."

Business Insider tried unsuccessfully to reach Komarov over the phone Thursday morning. He later disputed there was a discrepancy in an email. We later reached InfoArmor's Rashed over the phone, who tried to explain the firm's research.

"We didnt see any indication that they were commissioned," Rashed told Business Insider, disputing the NBC story reporting that Komarov said a "state-sponsored actor from Eastern Europe commissioned and later paid" the hacker group.

"They could have been hired by anybody, but no indication that they were hired by a state sponsor."

According to Rashed, InfoArmor's research found that a criminal hacker group broke into Yahoo, stole the data, then later sold it to three different groups, one of which was a state-sponsor. In other words, according to the firm, a state-sponsor was just a buyer.

"The database was sold for $300,000 to three groups, including the so-called state sponsored group," Rashed said. "Two of the groups were spammers, and one of the groups was a state sponsored group, which means [the hacker group] made almost a million dollars on this database."

A person familiar with the matter told Business Insider that "Yahoo stands 100% behind its assertion" of a state-sponsored actor, but declined to offer further evidence in support of that claim. 

The more important question is when, not who

Many want to know exactly who carried out the attack on Yahoo, but the most important question at this point is learning exactly when the company learned it had been breached.

That's because Yahoo filed documents with the SEC on September 9 indicating there had "not been any incidents" of security breaches that could have an adverse affect on its business.

If it knew it had been hacked before that filing, the agency could rake the company over the coals over a lack of disclosure.

And if knowledge of the hack goes back even further than that — like before July, when Verizon agreed to buy Yahoo — the $4.8 billion deal could be in jeopardy.

A number of US Senators are also asking that question.

On Monday, Sen. Al Franken (D-Minnesota) and his colleagues wrote in a letter to Yahoo CEO Marissa Mayer: "We are even more disturbed that user information was first compromised in 2014, yet the company only announced the breach last week. That means millions of Americans' data may have been compromised for two years. This is unacceptable."

The letter went on to request a timeline of events surrounding the hack, among other questions. A Yahoo spokesperson told Business Insider the company had "received the letter and will work to respond in a timely and appropriate manner."

Yahoo declined to comment on the date it first learned of the breach when asked again on Thursday morning.

This post was updated on 9/29 at 12:30 p.m. PDT with new information from InfoArmor.

NOW WATCH: Stephen Hawking warned us about contacting aliens, but this astronomer says it's 'too late'