【E-commerce 0322】雅虎被黑：你仍然不知道的五件事

刘颖

The Justice Department dropped a stunner of a document this week that revealed how Russian spies worked with common criminals to strip mine information from millions of Yahoo user accounts. In a 39-page indictment, the government revealed new details about the colossal data breach, plus some bizarre tidbits—like how one of the hackers used the Yahoo information to also push erectile dysfunction drugs.

The unsealed indictment and a press conference by the federal government announcing cyber crime charges against four men explains a lot about who hacked Yahoo and how they did it. But there are still some major questions for which both consumers and investors need answers. Here are five things we have yet to learn:

刘颖

What about the 1 billion accounts hacked in 2013?

The Justice Department news is about the hack of 500 million accounts—everything from email to fantasy sports services—that took place in 2014, and which Yahoo disclosed in September. The announcement, however, was oddly silent about an even bigger breach of 1 billion accounts that took place in 2013, and which the company disclosed in December.

What's the story? Was the 2013 hack unrelated to the allegedly state-supported Russian intrusion of 2014? Or is it possible the 2013 attack was also carried out by Russian criminals like the main culprit named in this week's indictment without government involvement? If the latter theory is correct, it would undercut the argument the Yahoo hack was "state sponsored" in origin—and makes it more likely the hacks are another example of the Kremlin spy machine piggy-backing on the work of cyber-criminals.

刘颖

Who are the unnamed executives and companies that got hit by the hackers?

The Russian hackers allegedly broke into the Yahoo accounts of senior executives at big U.S. companies, including a major airline and a financial firm. If this is the case, they could have obtained all sorts of sensitive corporate information, especially if (as is not uncommon) the executives used these non-work emails to communicate with key staff.

The indictment also describes how the hackers gained access to the "Yahoo users' accounts of three different offices of U.S. Cloud Computing Company 1." Obviously, it's not possible to know which cloud company this is—it could be anyone from Amazon Web Services to Salesforce to Microsoft to some other firm. But it's worth noting the infiltration of their executives' Yahoo accounts could be a stepping stone into breaking into their corporate accounts, and gaining access to information about the cloud company's customers.

刘颖

Why did the Justice Department announce this now?

There have been leaks for months that the Justice Department was investigating the Yahoo hacks, so the news of the indictment was not a huge surprise. But given how political the topic of Russian hacking has become, it's worth asking why the agency chose this week to announce it.

It's possible the timing simply coincides with the end of the investigation. But a person with ties to the Justice Department, who was not authorized to speak for attribution, said the timing may be more deliberate. Specifically, this person said many suspect the Yahoo file have come to the attention of new Attorney General Jeff Sessions, who then pressed to publicize it to show he and the Trump Administration want to take a hard line on Russian hacking.

刘颖

Who at Yahoo knew about the hacking,  and when?

This remains the most burning and sensitive question of all. Since it disclosed the attacks in September, Yahoo has been coy (to put it politely) about what happened. The company has conceded it first learned of the breach in 2014, but it also suggested the matter somehow never reached the level of importance to notify senior management.

CEO Marissa Mayer is sticking to her story that she learned of the attack shortly before everyone else, including Verizon, which by then had decided to buy the company. And in early March, Mayer basically made Yahoo lawyer Ron Bell the fall guy for the whole incident—a move that was lambasted on social media and by prominent tech journalist Kara Swisher.

If this official account is true, it still doesn't explain who first learned of the account hacking, and how far up the executive chain the news traveled. This week's news shed no light on the matter—but it's a good bet class action lawyers will use the legal discovery process to reveal what actually happened.

刘颖

What will the SEC do?

The Justice Department's announcement takes care of the criminal side of the Yahoo breach, even if three of the four hackers are unlikely to ever see a U.S. jail cell, since they are in Russia.

But there is also a second major investigation swirling around the Yahoo incident, one that is reportedly being carried out by the Securities and Exchange Commission. The SEC probe turns on whether the company broke the law by failing to disclose the breach to investors, who were left holding Yahoo shares as news of the disaster trickled out.

The plot became thicker this week as an FBI agent told Ars Technica, "Yahoo was under no government mandate not to tell customers of the breach." If this other shoe drops, the SEC fallout for Yahoo could be painful.

刘颖

TRANSLATIONS

上周，美国司法部在一份令人惊讶的文件中揭示了俄罗斯间谍怎样和普通罪犯合作，进而在数以百万计的雅虎用户账号中挖掘信息的过程。在这份39页的公诉书中，司法部披露了这次大规模数据盗窃事件的新细节以及一些怪异的小插曲，比如一名黑客还利用雅虎账号信息来推销阳痿治疗药物。

联邦政府在这份报告中以及新闻发布会上宣布对四人提起网络犯罪诉讼，并且详细解释了谁黑了雅虎及其实施过程。然而，消费者和投资者还需要其他一些重大问题的答案。以下五个问题对我们来说尚未水落石出。


2013年被黑的那10亿个账号后来怎么样了？

司法部本次披露的信息和2014年被黑的5亿个账号有关，这些账号从电子邮件到精彩的体育服务无所不包；雅虎去年9月披露了此事。但奇怪的是，2013年涉及10亿账号的黑客入侵事件规模更大，司法部的文件对此却只字未提；雅虎则是在去年12月公布了相关消息。

这是什么情况？2013年的黑客事件和所谓的2014年俄罗斯黑客在政府支持下实施入侵无关？还是说2013年的数据盗窃同样是俄罗斯人所为，就像上述文件罗列的罪魁祸首一样，只是没有政府参与？如果是后一种情况，雅虎被黑从一开始就“由政府发起”的说法就站不住脚了。这两次黑客事件也会因此变成俄罗斯间谍机构支撑网络犯罪的又一证据。


遭黑客入侵但未披露的高管和公司有哪些？

据说俄罗斯黑客侵入了美国大公司高管的雅虎账号，其中包括一家大型航空公司和一家金融公司。如果情况属实，黑客就有可能得到所有敏感公司信息，特别是在高管用这些非工作邮箱和大客户联系的情况下（但这种情况并不常见）。

该报告还描述了黑客如何得以进入“美国一家云计算公司三个分支机构的雅虎账号”。显然，我们没办法知道这是哪家公司，它有可能是Amazon Web Services、Salesforce、微软或者其他什么公司。但要注意的是，这些高管被黑的雅虎账号可能会成为一个踏板，进而让黑客侵入他们的公司账号，或者得到那家云服务提供商的客户信息。


司法部为什么在这个时候公布此事？

司法部调查雅虎被黑的消息已经传了几个月，因此上述报告并不十分出人意料。但鉴于俄罗斯黑客行为已经有了非常浓的政治色彩，还是应该问一下司法部为什么选择在上周公布此事。

这可能只是因为调查恰好在此时结束。然而，一位和司法部有联系但无权实名披露信息的人士指出，选在这个时候也许是故意为之。该人士解释说，许多人都怀疑雅虎被黑一案引起了新任司法部长杰夫·塞申斯的注意，他随即敦促将报告公诸于众，以表明他和特朗普政府都打算对俄罗斯黑客采取强硬立场。


雅虎都有谁，在什么时候知道自己被黑了？

这依然是所有问题中最棘手、最敏感的一个。去年9月披露此事后，雅虎对事情的真相一直遮遮掩掩（让我们用一种礼貌的说法）。该公司承认，首次发现自己被黑是在2014年，但不知怎的，这个问题的重要性一直没有达到需要通知高层的水平。

雅虎首席执行官玛丽莎·梅耶尔一直坚持的说辞是自己知道此事的时间不比别人早多少，其中包括当时已经决定收购雅虎的威瑞森电信。今年3月初，梅耶尔基本上把整个黑锅都扣在了雅虎律师罗恩·贝尔头上，此举在社交媒体上招致一片斥责，著名科技新闻记者卡拉·斯维什尔也就此炮轰了梅耶尔。

就算上述官方报告属实，但它还是没有说明谁最先知晓了账号被盗事件，以及这个消息到达了管理团队的哪一层。司法部的报告对此未置一词。不过，集体诉讼律师很有可能通过证据开示程序来揭示实情。


美国证交会将采取何种措施？

司法部的报告是从刑事角度处理雅虎被黑事件，即使四名黑客中有三人都不太可能在美国入狱，因为他们远在俄罗斯。

但此事还牵涉到另一项重大调查，那就是新闻报道中美国证券交易委员会的行动。该机构的调查旨在弄清楚雅虎没有向投资者披露黑客事件是否违法，因为此事曝光时那些投资者手里还都拿着雅虎的股票。

上周，美国联邦调查局一位特工向科技博客媒体Ars Technica透露：“政府从未禁止雅虎向消费者披露这次黑客入侵事件。”如果此事同样坐实，证交会的调查就可能对雅虎产生不利影响。