Yahoo has announced that the hackers who breached its servers this weekend did not use the Shellshock superbug as was previously reported.
In a statement, Yahoo’s head of information security Alex Stamos said that hackers had executed malware in a failed search for Shellshock vulnerabilities, and had not gained access to any user data.
The attackers, who zeroed in on the site’s Sports API servers, “mutated” the malicious code to look for access points.
Stamos reported that the original security flaw was exclusive to a small number of machines, and that it has now been fixed, with the malware added to Yahoo’s scanners.
He wrote: “We isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.
“At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected.
“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public.”
He added: “Just because exploit code works doesn’t mean it triggered the bug you expected!”
Yahoo’s investigation into server security was launched after ethical hacker Jonathan Hall discovered a group of Romanian cyber criminals were infiltrating Yahoo servers.
Hall, who published his method and his findings on his blog, also alerted Yahoo and the FBI to the hack.
Stamos also addressed criticism of Yahoo for not compensating Hall for his discovery, arguing that it was done outside of the company’s bug bounty programme.
He wrote: “Yahoo takes external security reports seriously and we strive to respond immediately to credible tips.
“Our records show no attempt by this researcher to contact us using [bug bounty] means.”
Hall also found similar security breaches in WinZip and Lycos servers. He said that WinZip confirmed the hack and thanked him for the discovery.
Hall claims that Lycos, on the other hand, denied the hack and have tried to cover it up by deleting the compromised script.