Security Experts:

Hacker Selling Credentials of 200 Million Yahoo Users

A hacker claims to possess 200 million Yahoo user accounts and he is offering to sell the information on a dark web cybercrime marketplace for a few Bitcoins.

The hacker, known online as “Peace” and “peace_of_mind” is selling usernames, easily crackable MD5 password hashes and dates of birth for 3 Bitcoin (roughly $1,800) on a website called TheRealDeal. The cybercriminal, who has an excellent reputation on TheRealDeal, has also sold hundreds of millions of accounts belonging to Tumblr, Myspace, VK and LinkedIn users.

Peace provided a sample of the data to Vice’s Motherboard, which determined that many of the accounts are not valid. However, this does not necessarily mean the information is fake – the hacker said the data is from 2012 and Yahoo is known to delete accounts that are inactive for over one year.

Yahoo says it’s aware of the hacker’s claims, but the company has not confirmed or denied that the data comes from its systems.

“We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms,” the company stated.

Yahoo confirmed suffering a breach in 2012. At the time, a group called D33ds Company gained access to more than 450,000 usernames and passwords after stealing a file from the Yahoo Contributor Network. Softpedia says there is no evidence that the data offered for sale by Peace is the same as the one stolen in the Contributor Network breach.

“While Yahoo has not confirmed that the data being sold consists of real user credentials, it hasn’t denied it either. This is an ominous sign – especially in light of the recent Myspace and LinkedIn compromises,” Adam Levin, chairman and founder of IDT911, told SecurityWeek. “Those with accounts that could be impacted should be hyper diligent to ensure their information remains safe. It appears that Yahoo hasn’t issued password resets yet, but users should not sit idly by and wait for this. They need to immediately change their Yahoo passwords, as well as those for any other accounts where they have used the same or similar login information.”

The recent mega leaks have forced several major companies to reset their users’ passwords after malicious hackers attempted to leverage the exposed credentials to access accounts. The list of firms hit by password reuse attacks includes CarboniteGitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer and Twitter.

Related: Platform Facilitates Cybercrime

Related: Yahoo Rewards Researcher for ImageMagick Hack

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.