Yahoo said some of its servers were breached briefly by hackers, but that the attack was unrelated to the newly discovered Shellshock vulnerability, and that no user data was compromised.
In a posting late Monday on the Hacker News forum, Yahoo’s chief information security officer Alex Stamos said hackers managed to breach three of its sports servers that deliver live game-streaming data.
“After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock,” Stamos wrote, referring to the recently discovered flaw which could affect millions of computers and other Internet-connected devices.
“At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed.”
The comments came after security researcher Jonathan Hall reported the breach, and said it was the result of the flaw known as Shellshock or Bash. On Tuesday, Hall maintained that the attack was the result of a Shellshock attack.
“The Yahoo! infiltration WAS from the ‘Shellshock’ vulnerability… How do I know? Because I sat there watching it happen.”
Stamos said the situation led to confusion because attackers had been trying to use the flaw to gain access.
“As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public,” he said.
“Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock.”
The US government and technology experts warned last month of a vulnerability in some computer-operating systems, including Apple’s Mac OS, which could allow widespread and serious attacks by hackers.
The flaw affects “Unix-based operating systems” powered by Linux and Apple’s Mac OS. Apple recently said it created a patch for its operating systems, and other software firms have done the same.
