InfoArmor said the hacked trove of user data was later sold to at least three clients, including one state-sponsored group.
"Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations," Scottsdale, Arizona-based InfoArmor said Wednesday in a report. "The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur."
InfoArmor concluded the Yahoo hackers were criminal after reviewing a small sample of compromised accounts. The hackers, dubbed Group E, have a track record of selling stolen personal data on the dark web, and have been previously linked to breaches at LinkedIn, Tumblr and MySpace, said Andrew Komarov, the firm's chief intelligence officer.
Yahoo declined comment.
Yahoo said last week that it only recently discovered the intrusion, which it blamed on a state-sponsored actor without providing technical evidence.