Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Hacker Selling Credentials of 200 Million Yahoo Users

A hacker claims to possess 200 million Yahoo user accounts and he is offering to sell the information on a dark web cybercrime marketplace for a few Bitcoins.

A hacker claims to possess 200 million Yahoo user accounts and he is offering to sell the information on a dark web cybercrime marketplace for a few Bitcoins.

The hacker, known online as “Peace” and “peace_of_mind” is selling usernames, easily crackable MD5 password hashes and dates of birth for 3 Bitcoin (roughly $1,800) on a website called TheRealDeal. The cybercriminal, who has an excellent reputation on TheRealDeal, has also sold hundreds of millions of accounts belonging to Tumblr, Myspace, VK and LinkedIn users.

Peace provided a sample of the data to Vice’s Motherboard, which determined that many of the accounts are not valid. However, this does not necessarily mean the information is fake – the hacker said the data is from 2012 and Yahoo is known to delete accounts that are inactive for over one year.

Yahoo says it’s aware of the hacker’s claims, but the company has not confirmed or denied that the data comes from its systems.

“We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms,” the company stated.

Yahoo confirmed suffering a breach in 2012. At the time, a group called D33ds Company gained access to more than 450,000 usernames and passwords after stealing a file from the Yahoo Contributor Network. Softpedia says there is no evidence that the data offered for sale by Peace is the same as the one stolen in the Contributor Network breach.

“While Yahoo has not confirmed that the data being sold consists of real user credentials, it hasn’t denied it either. This is an ominous sign – especially in light of the recent Myspace and LinkedIn compromises,” Adam Levin, chairman and founder of IDT911, told SecurityWeek. “Those with accounts that could be impacted should be hyper diligent to ensure their information remains safe. It appears that Yahoo hasn’t issued password resets yet, but users should not sit idly by and wait for this. They need to immediately change their Yahoo passwords, as well as those for any other accounts where they have used the same or similar login information.”

The recent mega leaks have forced several major companies to reset their users’ passwords after malicious hackers attempted to leverage the exposed credentials to access accounts. The list of firms hit by password reuse attacks includes CarboniteGitHub, Netflix, Facebook, GoToMyPC, Reddit, TeamViewer and Twitter.

Related: Platform Facilitates Cybercrime

Related: Yahoo Rewards Researcher for ImageMagick Hack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...