200 million alleged Yahoo account details leaked on Darknet
A huge cache of personal information that includes usernames, hashed passwords, and dates of birth of some 200 million alleged Yahoo users have been put for sale online on a Darknet marketplace called the Real Deal.
The cybercriminal with the name “Peace” who is behind this leak has in the past successfully breached social platforms like MySpace, LinkedIn, and Tumblr and sold millions of passwords and email addresses online.
Motherboard, who was the first to report about the potential breach based on the sample obtained by them, said that the data dump put up online also includes backup email addresses, country of origin and even ZIP codes for some users.
When Motherboard tested the details of two dozen allegedly stolen contact details from a sample of 5,000, it found that they matched with genuine Yahoo accounts. However, when it tried to contact 100 of the addresses its attempts were returned with error messages such as “this account has been disabled or discontinued” and “this user doesn’t have a yahoo.com account”.
The reason could be that the personal data may have been stolen back in 2012 and is now being sold online for 3 bitcoins, or approximately US$1,800 per entry. It is suggestive of the 360 million MySpace credentials, 117 million LinkedIn account details, and 65 million Tumblr emails put up for sale in May. However, it is not clear whether the person hacked the database themselves or has simply collated details that were already circulating.
Yahoo, which sold to Verizon for $5 billion last week, neither confirmed nor denied the validity of the alleged stolen credentials, but said it is aware of the listing.
“We are committed to protecting the security of our users’ information and we take any such claim very seriously,” Yahoo said in a statement. “Our security team is working to determine the facts. Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”
This is the second time what is claimed to be stolen Yahoo credentials have gone on sale on the dark net this year. In May, Hold Security has discovered the details of tens-of-millions of Yahoo, Gmail and Hotmail accounts on a Russian dark net site.