Prime Minister Malcolm Turnbull will ask his cyber security adviser to investigate how senior Australian politicians were caught up in a massive global data breach affecting Yahoo internet services.
Social Services Minister Christian Porter, shadow treasurer Chris Bowen and Liberal senator Cory Bernardi are among those whose Yahoo-linked accounts were reportedly affected by the breach.
As experts warned that stolen data could be used for blackmail, Mr Turnbull acknowledged: “Cyber vulnerability is a very real issue. It’s really important for all of us to be aware of cyber security.”
The ABC said it identified the MPs, including Victorian Premier Daniel Andrews and Liberal MP Andrew Hastie, from a data set obtained through US cyber security firm InfoArmor.
The affected Yahoo facilities were not only email accounts but also involved Yahoo-linked services such as Tumblr, the blogging platform, and Flickr, the photo-sharing application, the ABC reported.
But it was not clear whether the affected accounts were still active or had ever been used. The original hack occurred in August 2013, meaning any federal Coalition MPs were then in opposition.
Mr Turnbull also stressed that “classified government information can only be transmitted or used on approved government communications systems”, not Yahoo accounts.
Richard Buckland of the Australian Centre for Cyber Security warned that if private data had been compromised it could make the affected MPs, judges and public officials vulnerable to blackmail.
A spokesman for Mr Porter said the minister had never knowingly used a Yahoo account, but one may have been created by a staffer during his time as a state MP in Western Australia.
Mr Hastie also told Fairfax Media he could not recall ever operating a Yahoo account, while a spokesman for Mr Bowen said he had not used such an account in 10 years.
Fairfax Media has requested a response from Defence Minister Marise Payne and the Department of Defence, which confirmed to the ABC it had been notified about the Yahoo breach in October.
Two months later, Yahoo publicly revealed that a system breach that occurred in August 2013 had affected about one billion of its accounts – the largest ever known breach of a company’s private data.
Names, addresses, passwords and phone numbers were stolen by unidentified attackers in the second major data breach to affect Yahoo in as many years. In 2014, 500 million email accounts were compromised in a hacking episode the company believed to be sponsored by an unidentified government entity.
In August last year, the database stolen in 2013 was put up for sale by an Eastern European hacking group, with a price tag of $300,000, according to InfoArmor chief intelligence officer Andrew Komarov.
According to The New York Times, Mr Komarov notified global law enforcement agencies – including in Australia – about the breach at some point in the months leading up to December.
Mr Komarov says an outfit he calls Group E was responsible for the 2013 hack. The group is also understood to have broken into systems belonging to LinkedIn, Myspace, Dropbox and Tumblr, according to The New York Times.
Fairfax Media also contacted InfoArmor at its Arizona headquarters but did not receive a response on Tuesday.