Yahoo has blamed its massive data breach on a "state-sponsored actor." But the company isn't saying why it arrived at that conclusion. Nor has it provided any evidence.
The lingering questions are causing some security experts to wonder why Yahoo isn't offering more details on a hack that stole account information from 500 million users.
"I think there's a lot of fishiness going on here," said Michael Lipinski, the chief security strategist at Securonix, which sells a security-analytics platform.
Yahoo didn't respond to a request for comment. The company has protocols in place that can detect state-sponsored hacking into user accounts. In a December 2015 blog post, the company outlined its policy, saying it will warn users when this is suspected.
"In order to prevent the actors from learning our detection methods, we do not share any details publicly about these attacks," wrote Yahoo chief information security officer Bob Lord at the time. He added that the company only sends out these notifications "when we have a high degree of confidence."
However, blaming a high-profile breach on state-sponsored hackers might also be a convenient excuse to reduce culpability.
"If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat," said Chase Cunningham, director of cyber operations at security provider A10 Networks.
The perception is that state-sponsored hackers are unstoppable and among the best in the world, he added. Cunningham suspects that cyber criminals, and not an elite government-backed group, may have actually targeted Yahoo.
"This just doesn't reek of nation-state activity," he said. "Nation-states are after intellectual property. They don't give a damn about emails and passwords from a Yahoo account."
The internet company might also be holding back details on the breach because of the pending Verizon deal; Verizon has agreed to pay $4.8 billion to buy Yahoo.
"I'm not sure the Verizon acquisition will still go through," said Lipinski of Securonix. Verizon, for example, might have to fork up millions more in cash to deal with the breach's fallout.
"But blaming it on a state-sponsored actor will kind of help them [Yahoo]," he added. "They can say, 'It's not our fault, our insurance will take care of it.'"
Even though Yahoo hasn't provided much evidence, other security experts also said it's still very possible state-sponsored hackers were responsible for the data breach. A government might have been interested in targeting the email accounts of human rights activists, for instance. Or the breach could have been initiated by a company insider, who was actually a spy.
There are other possible reasons for Yahoo to withhold data, added Vitali Kremez, a cybercrime analyst with security firm Flashpoint.
"Law enforcement could be investigating and they [Yahoo] don't want to jeopardize anything," he said. "They could also be preparing legal proceedings."
Yahoo said it only recently learned of the data breach. But the hack actually occurred back in late 2014 -- meaning the perpetrators have had two years to secretly exploit the data.
If state-sponsored hackers did indeed target Yahoo, Kremez fears that other companies might have been victims as well -- they just don't know it.
"We do need more transparency," Kremez said. "We'd all like to know more to see if this fits into a larger pattern."