200 million alleged Yahoo user details up for sale on Darknet
Based on the sample obtained by Motherboard, which first broke the news of the potential breach, apart from usernames and dates of birth, the data dump includes such sensitive information as passwords, backup email addresses, country of origin and even ZIP codes for some users.
All of these ‘handy’ details are available for just 3 bitcoin, or approximately US$1,800.
Motherboard checked a small sample of the credentials – some two dozen records – to discover that most of the tested Yahoo usernames are linked to actual accounts. However, messages sent to some 100 of the addresses in the sample set were bounced back as undeliverable. This may be due to the fact that the listed data was “most likely” from 2012, as the advert on Darknet claimed, and some accounts may have been deleted since then.
The listing also said that passwords obtained were hashed with an MD5 algorithm, a password-storing method which is known to be easily hacked nowadays.
The listing was put up for sale by the notorious hacker Peace_of_Mind [Peace] and gained credibility nearly instantly, as Peace has a history of successfully breaching web platforms. As his latest achievement, in May this year, Peace pitched over 100 million LinkedIn members’ Email addresses and passwords on the same Darknet market.
Yahoo has not acknowledged the breach, but said it is aware of the listing.
“We are aware of a claim,” a Yahoo statement reads, stressing that the web service has launched a probe into the advertisement.
“We are committed to protecting the security of our users’ information and we take any such claim very seriously. Our security team is working to determine the facts,” the company said.
There is not much information on the hacker’s identity. In an interview given to Wired, the group or individual behind the Peace persona said he or she was once part of a Russian hacking group that hacked major technology organizations.
After that group reportedly broke up, a number of data dumps surfaced on the Darknet, including some 160 million accounts from LinkedIn (in two separate listings), 100 million user details from Russian social media platform VK.com (V Kontake or ‘In Contact’) and 360 million credentials from MySpace. In an interview to Softpedia, Peace claimed these breaches had earned him some $65,000.