Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Hacker Selling Credentials of 200 Million Yahoo Users

A hacker claims to possess 200 million Yahoo user accounts and he is offering to sell the information on a dark web cybercrime marketplace for a few Bitcoins.

A hacker claims to possess 200 million Yahoo user accounts and he is offering to sell the information on a dark web cybercrime marketplace for a few Bitcoins.

The hacker, known online as “Peace” and “peace_of_mind” is selling usernames, easily crackable MD5 password hashes and dates of birth for 3 Bitcoin (roughly $1,800) on a website called TheRealDeal. The cybercriminal, who has an excellent reputation on TheRealDeal, has also sold hundreds of millions of accounts belonging to Tumblr, Myspace, VK and LinkedIn users.

Peace provided a sample of the data to Vice’s Motherboard, which determined that many of the accounts are not valid. However, this does not necessarily mean the information is fake – the hacker said the data is from 2012 and Yahoo is known to delete accounts that are inactive for over one year.

Yahoo says it’s aware of the hacker’s claims, but the company has not confirmed or denied that the data comes from its systems.

“We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms,” the company stated.

Yahoo confirmed suffering a breach in 2012. At the time, a group called D33ds Company gained access to more than 450,000 usernames and passwords after stealing a file from the Yahoo Contributor Network. Softpedia says there is no evidence that the data offered for sale by Peace is the same as the one stolen in the Contributor Network breach.

“While Yahoo has not confirmed that the data being sold consists of real user credentials, it hasn’t denied it either. This is an ominous sign – especially in light of the recent Myspace and LinkedIn compromises,” Adam Levin, chairman and founder of IDT911, told SecurityWeek. “Those with accounts that could be impacted should be hyper diligent to ensure their information remains safe. It appears that Yahoo hasn’t issued password resets yet, but users should not sit idly by and wait for this. They need to immediately change their Yahoo passwords, as well as those for any other accounts where they have used the same or similar login information.”

The recent mega leaks have forced several major companies to reset their users’ passwords after malicious hackers attempted to leverage the exposed credentials to access accounts. The list of firms hit by password reuse attacks includes CarboniteGitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer and Twitter.

Advertisement. Scroll to continue reading.

Related: Deer.io Platform Facilitates Cybercrime

Related: Yahoo Rewards Researcher for ImageMagick Hack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...